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Abstract. We study distributed agreement in synchronous directed dynamic networks, where an 
omniscient message adversary controls the presence/absence of communication links. We prove that 
consensus is impossible under a message adversary that guarantees weak connectivity only, and in¬ 
troduce vertex-stable root components (VSRCs) as a means for circumventing this impossibility: 
A VSRC(fc,d) message adversary guarantees that, eventually, there is an interval of d consecutive 
rounds where every communication graph contains at most k strongly connected components con¬ 
sisting of the same processes (with possibly varying interconnect topology), which have at most 
out-going links to the remaining processes. We present a consensus algorithm that works correctly 
under a VSRC(1,4R’ -1-2) message adversary, where H is the dynamic causal network diameter. 
Our algorithm maintains local estimates of the communication graphs, and applies techniques for 
detecting network stability and univalent system configurations. Several related impossibility re¬ 
sults and lower bounds, in particular, that neither a VSRC(l,iif— 1) message adversary nor a 
VSRC(2, oo) one allow to solve consensus, reveal that there is not much hope to deal with (much) 
stronger message adversaries here. 

However, we show that gracefully degrading consensus, which degrades to general fc-set agreement 
in case of unfavorable network conditions, allows to cope with stronger message adversaries: We 
provide a fc-uniform fc-set agreement algorithm, where the number of system-wide decision values k 
is not encoded in the algorithm, but rather determined by the actual power of the message adversary 
in a run: Our algorithm guarantees at most k decision values under a VSRC(n, d) -|- MAJINF(fc) 
message adversary, which combines VSRC(n, d) (with some small value of d, ensuring termination) 
with some information flow guarantee MAJINF(fc) between certain VSRCs (ensuring fc-agreement). 
Since related impossibility results reveal that a VSRC(fe, d) message adversary is too strong for 
solving fc-set agreement and that some information flow between VSRCs is mandatory for this 
purpose as well, our results provide a significant step towards the exact solvability/impossibility 
border of general fc-set agreement in directed dynamic networks. 

Keywords: Directed dynamic networks, consensus, fc-set agreement, message adveraries, impos¬ 
sibility results, lower bounds. 


1 Introduction 

Dynamic networks, instantiated, e.g., by wireless sensor networks, mobile ad-hoc networks and vehicle 
area networks, are becoming ubiquitous nowadays. The primary properties of such networks are sets of 
participants (called processes in the sequel) that are a priori unknown and potentially changing, time- 
varying connectivity between processes, and the absence of a central control. Dynamic networks is an 
important and very active area of research [37]. 

Accurately modeling dynamic networks is challenging, for several reasons: First, process mobility, 
process crashes/recoveries, deliberate joins/leaves, and peculiarities in the low-level system design like 
duty-cycling (used to save energy in wireless sensor networks) make static communication topologies, as 
typically used in classic network models, inadequate for dynamic networks. Certain instances of dynamic 
networks, in particular, peer-to-peer networks [39] and inter-vehicle area networks [24], even suffer from 
significant churn, i.e., a large number of processes that can appear/disappear over time, possibly in the 
presence of faulty processes [4], and hence consist of a potentially unbounded total number of participants 
over time. More classic applications like mobile ad-hoc networks (MANETS) [34], wireless sensor networks 
[3,57] and disaster relief applications [41] typically consist of a bounded (but typically unknown) total 
number of processes. 


Second, communication in many dynamic networks, in particular, in wireless networks like MANETS, 
is inherently broadcast: When a process transmits, then every other process within its transmission 
range will observe this transmission — either by legitimately receiving the message or as some form of 
interference. This creates quite irregular communication behavior, such as capture effects and near-far 
problems [56], where certain (nearby) transmitters may “lock” a receiver and thus prohibit the reception 
of messages from other senders. Consequently, the “health” of a wireless link between two processes may 
vary heavily over time [15]. For low-bandwidth wireless transceivers, an acceptable link quality usually 
even requires communication scheduling [48] (e.g., time-slotted communication) for reducing the mutual 
interference. Overall, this results in a frequently changing spatial distribution of pairs of nodes that can 
communicate at a given point in time. 

As a consequence, many dynamic networks, in particular, wireless ones [14], are not adequately 
modeled by means of bidirectional links: Fading and interference phenomenons [29,51], including capture 
effects and near-far problems, are local effects that affect only the receiver of a wireless link. Given that 
the sender, which is also the receiver of the reverse link, resides at a different location, the two receivers 
are likely to experience very different levels of fading and interference [26]. This effect is even more 
pronounced in the case of time-slotted communication, where forward and backward links are used at 
different times. Consequently, the existence of asymmetric communication links cannot be ruled out in 
practice: According to [45], 80% of the links in a typical wireless network are asymmetric. 

Despite these facts, most of the dynamic network research we are aware of assumes bidirectional 
links [36,38]. The obvious advantage of this abstraction is simplicity of the algorithm design, as strong 
communication guarantees obviously make this task easier. Moreover, it allows the re-use of existing 
techniques for wireline networks, which naturally support bidirectional communication. However, there 
are also major disadvantages of this convenient abstraction: First, for dynamic networks that operate in 
environments with unfavourable communication conditions, e.g. in disaster relief applications or, more 
generally, in settings with various interferers and obstacles that severely inhibit communication, bidi¬ 
rectional links may simply not be achievable. For implementing distributed services in such settings, 
algorithms that do not need bidirectional links are mandatory. Second, the entire system needs to be 
engineered in such a way that bidirectional single-hop communication can be provided within bounded 
time. This typically requires relatively dense networks and/or processes that are equipped with power¬ 
ful communication interfaces, which incur significant cost when compared to sparser networks or/and 
cheaper or more energy-saving communication devices. And last but not least, if directed single-hop 
communication was already sufficient to reach some desired goal (say, reaching some destination process) 
via multi-hop messages, waiting for guaranteed single-hop bidirectional communication would incur a 
potentially significant, unnecessary delay. Obviously, in such settings, algorithmic solutions that do not 
need bidirectional single-hop communication could be significantly faster. 

In this paper, we thus restrict our attention to dynamic networks consisting of an unknown but 
bounded total number of processes, which are interconnected by directed communication links. The sys¬ 
tem is assumed to be synchronous,"^ hence time is measured in discrete rounds that allow the processes to 
exchange at most one message. Time-varying communication is modeled as a sequence of communieation 
graphs, which contain a directed edge between two processes if the message sent in the correspond¬ 
ing round is successfully received. A bidirectional link is modeled by a pair of directed links that are 
considered independent of each other here. 

A natural approach to build robust services despite the dynamic nature of such systems is to use some 
sort of distributed agreement on certain system parameters like schedules, frequencies, and operating 
modes, as well as on application-level issues: Such a solution allows to use arbitrary algorithms for 
generating local proposals, which are supplied as inputs to a consensus algorithm that finally selects one 
of them consistently at all processes. As opposed to master-slave-based solutions, this approach avoids 
the single point of failure formed by the process acting as the master. 

The ability to reach system-wide consensus is hence the most convenient abstraction one could provide 
here. The first® major contribution of our paper is hence a suite of impossibility results and a consensus 

^ As synchronized clocks are typically required for basic communication in wireless systems anyway, e.g., for 
transmission scheduling and sender/receiver synchronization, this is not an unrealistic assumption: Global 
synchrony can be implemented directly at low system levels, e.g., via IEEE 1588 network time synchronization 
or GPS receivers, or at higher levels via time synchronization protocols like FTSP [43] or even synchronizers [6]. 
® A preliminary version of this part of our paper has appeared at SIROGCOT2 [9]. 
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algorithm for directed dynamic networks that, to the best of our knowledge, works under the weakest 
communication guarantees sufficient for consensus known so far. 

Obviously, however, one cannot reasonably assume that every dynamic network always provides suffi¬ 
ciently strong communication guarantees for solving consensus. Fortunately, weaker forms of distributed 
agreement are sufficient for certain applications. In case of determining communication schedules [48], 
for example, which are used for staggering message transmission of nearby nodes in time to decrease 
mutual interference, it usually suffices if those processes that have to communicate regularly with each 
other (e.g., for implementing a distributed service within a partition) agree on their schedule. A more 
high-level example would be agreement on rescue team membership [28] in disaster relief applications. 

For such applications, suitably designed k-set agreement algorithms [17], where processes must agree 
on at most k different values system-wide, are a viable alternative to consensus {k = 1). This is particu¬ 
larly true if such a k-set agreement (i) respects partitions, in the sense that processes in the same (single) 
partition decide on the same value, and (ii) is gracefully degrading, in the sense that the actual number 
k of different decision values depends on the actual network topology in the execution: If the network 
is well-behaved, the resulting k is small (ideally, k = 1), whereas k may increase under unfavorable 
conditions. Whereas any gracefully degrading algorithm must be /c-uniform, i.e., unaware of any a priori 
information on k, it should ideally also be k-optimal, i.e., produce the smallest number k of different 
decisions possible. 

The second® major contribution of our paper are several impossibility results for k-set agreement in 
directed dynamic networks, as well as the, to the best of our knowledge, first instance of a worst-case 
/c-optimal k-set agreement, i.e., a consensus algorithm that indeed degrades gracefully to general fc-set 
agreement. 

Detailed contributions and paper organization. 

In Section 3, we introduce our detailed system model, which adopts the message adversary notation 
used in [49]. It consists of an (unknown) number n of processes, where communcation is modeled by 
a sequence of directed communication graphs, one for each round: If some edge (p, q) is present in the 
communication graph Q'" of round r, then process q has received the message sent to it by p in round 
r. The message adversary determines the set of links actually present in every Q'', according to certain 
constraints that may be viewed as network assumptions. 

With respect to consensus, we provide the following contributions: 

(1) In Section 4, we show that communication graphs that are weakly connected in every round are 
not sufficient for solving consensus, and introduce a fairly weak additional assumption that allows to 
overcome this impossibility. Our message adversary VSRC(c?) requires that the communication graph 
in every round is weakly connected and has one (possibly changing) strongly connected component 
(called a root component) that has no in-coming links from processes outside. Note carefully that 
every directed graph has at least one root component. Since this assumption is still too weak for 
solving consensus, VSRC((i) also requires that, eventually, there will be d consecutive rounds where 
the processes in the root component remain the same, although the connection topology may still 
change. We use the term vertex-stable root component (VSRC) for this requirement. In Section 5, 
we provide a consensus algorithm that works in this model, and prove its correctness. Our algorithm 
requires a window of stability of d = AH -\- 2 rounds, where H is the dynamic network causal 
diameter of the network (= the number of rounds required to reach all processes in the network from 
any process in the vertex-stable root component via multi-hop communication). 

(2) In Section 4, we show that any consensus and leader election algorithm has to know an a priori 
bound on H. Since n — 1 is a trivial bound on H, this implies that no uniform algorithm, i.e., no 
algorithm unaware of n or H, can solve consensus in our model. In addition, we prove that consensus 
is impossible both under VSRC(2,oo) and under VSRC (id — 1), which shows that id is a lower 
bound for the window of stability of VSRCs. We also demonstrate that neither reliable broadcast, 
atomic broadcast, nor causal-order broadcast can be implemented under VSRC(d). The same is 
shown to be true for counting, fc-verification, fc-token dissemination, all-to-all token dissemination, 
and fc-committee election. 

With respect to fc-set agreement and gracefully degrading consensus, we provide the following con¬ 
tributions: 

® A brief announcement of this part of our paper appeared at PODCT4 [53]. 
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(3) In Section 6, we provide a fairly weak natural message adversary VSRC(A:, d) that is still too strong 
for solving k-set agreement: It reveals that the restriction to at most k simultaneous VSRCs in every 
round is not sufficient for solving fc-set agreement if just a single VSRC is vertex-stable for less than 
n — k rounds: A generic reduction of k-set agreement to consensus introduced in [7], in conjunction 
with certain bivalence arguments, is used to construct a non-terminating run in this case. Moreover, 
eventual stability of all VSRCs is also not enough for solving k-set agreement, not even when it is 
guaranteed that (substantially) less than k VSRCs exist simultaneously. The latter is a consequence 
of some adversarial partitioning over time, which could happen in our dynamic networks. 

(4) In Section 7, we show that the message adversary VSRC(n, d) -I- MAJINF(fc), which combines 
VSRC(n, d) (ensuring termination) with some information flow guarantee MAJINF(fc) between cer¬ 
tain VSRCs (ensuring fc-agreement), is sufficient for solving fc-set agreement. Basically, MAJINF(fc) 
guarantees that at most k VSRCs exist in a run that are not affecting each other significantly. Despite 
being fairly strong, the resulting message adversary VSRC(n, d) -l-MAJINF(fc) allows to implement a 
/c-uniform fc-set agreement algorithm, which naturally respects partitions and is worst-case k-optimal, 
in the sense that no algorithm can solve k — 1-set agreement under VSRC(n,d) -I- MAJINF(fc). To 
the best of our knowledge, it is the first gracefully degrading consensus algorithm proposed so far. 

As a final remark, we note that the ultimate goal of the latter part of our research are network 
assumptions for every I ^ fc < n, which are both necessary and sufficient for solving fc-set agreement. 
Knowing or at least approaching this border is interesting for several reasons: First, it is interesting from 
a theoretical point of view: fc-set agreement has been a major target for the study of solvability in asyn¬ 
chronous systems with failure detectors since decades.^ Second, striving for weak network assumptions 
is always advantageous w.r.t. the assumption coverage in real systems, as they are typically more likely 
to hold in a given dynamic network. Finally, a set of network assumptions close to the necessary and 
sufficient ones is needed for fc-optimal fc-set agreement algorithms: Whereas our worst-case fc-optimal 
algorithm only needs a single worst-case run under VSRC(n, d) -I- MAJINF(fc) where it cannot solve 
fc — 1-set agreement, a fc-optimal algorithm must solve fc-set agreement for the smallest k possible in 
every run. 

We believe that our work constitutes a significant step towards identifying the exact solvability border 
of fc-set agreement: Since necessary and sufficient network conditions in our model must lie somewhere in 
between (3) and (4), we managed to tightly “enclose” them. Further tightening the gap and eventually 
closing it, is a topic of future research. 


2 Related Work 

Dynamic networks have been studied intensively in research (see the overview by Kuhn and Oshman [37] 
and the references therein). Besides work on peer-to-peer networks like [39], where the dynamicity of 
nodes (churn) is the primary concern, different approaches for modeling dynamic connectivity have been 
proposed, both in the networking context and in the context of classic distributed computing. Casteigts 
et al. [13] introduced a comprehensive classification of time-varying graph models. 

Models. There is a rich body of literature on dynamic graph models going back to [30], which also 
mentions for the first time modeling a dynamic graph as a sequence of static graphs. A more recent 
paper using this approach is [36], where distributed computations are organized in lock-step synchronous 
rounds. Communication is described by a sequence of per-round communication graphs, which must 
adhere to certain network assumptions (like T-interval connectivity, which says that there is a common 
subgraph in any interval of T rounds). Afek and Gafni [1] introduced message adversaries for specifying 
network assumptions in this context, and used them for relating problems solvable in wait-free read-write 
shared memory systems to those solvable in message-passing systems. Raynal and Stainer [49] also used 
message adversaries for exploring the relationship between round-based models and failure detectors. 

Besides time-varying graphs, several alternative approaches that consider missing messages as failures 
have also been proposed in the past: Moving omission failures [50], round-by-round fault detectors [27], 
the heard-of model [16] and the perception-based failure model [II]. 

^ Despite all efforts, however, the weakest failure detector for message-passing fc-set agreement is still unknown 
[12]. Interestingly, [49] revealed that there are relations between this classic model and dynamic networks. 
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Agreement problems. Agreement problems in dynamic networks with undirected communication 
graphs have been studied in [5,19,38]; agreement in directed graphs has been considered in [1,9,20,49,52]. 

In particular, the work by Kuhn et al. [38] focuses on the Z\-coordinated consensus problem, which 
extends consensus by requiring all processes to decide within A rounds of the first decision. Since they 
consider only undirected graphs that are connected in every round, without node failures, solving con¬ 
sensus is always possible. In terms of the classes of [13], the model of [35] is in one of the strongest classes 
(Class 10) in which every process is always reachable by every other process. On the other hand, [20,52] 
do consider directed graphs, but restrict the dynamicity by not allowing stabilizing behavior. Conse¬ 
quently, they also belong to quite strong classes of network assumptions in [13]. In sharp contrast, the 
message adversary tolerated by our algorithms does not guarantee bidirectional (multi-hop) communi¬ 
cation between all processes, hence falls between the weakest and second weakest class of models defined 
in [13]. 

The leader election problem in dynamic networks has been studied in [18,19], where the adversary 
controls the mobility of nodes in a wireless ad-hoc network. This induces dynamic changes of the (undi¬ 
rected) network graph in every round and requires any leader election algorithm to take n{Dn) rounds 
in the worst case, where D is a bound on information propagation. 

Regarding fc-set agreement in dynamic networks, we are not aware of any previous work except [54], 
where bidirectional links are assumed, and our previous paper [8], where we assumed the existence of 
an underlying static skeleton graph (a non-empty common intersection of the communication graphs of 
all rounds) with at most k static root components. Note that this essentially implies a directed dynamic 
network with a static core. By contrast, in this paper, we allow the directed communication graphs to be 
fully dynamic. In [10], we provided fc-set agreement algorithms for partially synchronous systems with 
weak synchrony requirements. 

Degrading consensus problems. We are also not aware of related work exploring gracefully degrading 
consensus or fc-uniform fc-set agreement. However, there have been several attempts to weaken the seman¬ 
tics of consensus, in order to cope with partitionable systems and excessive faults. Vaidya and Pradhan 
introduced the notion of degradable agreement [55], where processes are allowed to also decide on a 
(fixed) default value in case of excessive faults. The almost everywhere agreement problem introduced 
by [22] allows a small linear fraction of processes to remain undecided. Aguilera et. al. [2] considered 
quiescent consensus in partitionable systems, which requires processes outside the majority partition not 
to terminate. None of these approaches is comparable to gracefully degrading k-set agreement, however: 
On the one hand, we allow more different decisions, on the other hand, all correct processes are required 
to decide and every decision must be the initial value of some process. 

Ingram et. al. [32] presented an asynchronous leader election algorithm for dynamic systems, where 
every component is guaranteed to elect a leader of its own. Whereas this behavior clearly matches 
our definition of graceful degradation, contrary to decisions, leader assignments are revocable and the 
algorithm of [32] is guaranteed to successfully elect a leader only once the topology eventually stabilizes. 

3 Model 

We consider a synchronous distributed system made up of a fixed set of distributed processes U = 
{pi,... ,p„} with jilj = n ^ 2, which have fixed unique ids and communicate via unreliable message 
passing. For convenience, we assume that the unique id oi pi € U is i, and use both pi and i for denoting 
this process; “generic” processes will also be denoted by p, q etc. 

Similar to the COCAC model [46], we assume that processes organize their computation as an infinite 
sequence of communication-closed [23] lock-step rounds. For every p G 11 and each round r > 0, let 
Sp € §p be the state of p at the beginning of round r, taken from the set §p of all states p can possibly 
enter; Sp £ Sj, C Bp is taken from the set of p’s initial states Bp. The round r computation of process p is 
determined by two functions that make up p’s algorithm: The message sending function Mp : Bp ^ A4 
determines the message m”, taken from a suitable message alphabet M, sent to all other processes in 
the system by p in round r, based on p’s state S'” at the beginning of round r. For simplicity, we assume 
that some (possibly NULL £ M) message is sent to all in a round where there is no proper algorithm 
message to be broadcast. A receiver may omit to receive a message sent to it in a round, and senders 
do not know (without receiving explicit feedback later on) who successfully received their message. The 
transition function Tp : Bp x Sp takes p’s state 5” at the beginning of round r and a set 
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(a) (b) (c) g^ 

Fig. 1 

Up of pairs of process ids and messages, which contains the round r messages received by p from other 
processes in the system, and computes the successor state 5'^+^. We assume that, for each process q, 
there is at most one {q.wT^) G Pp such that is the message q sent in round r. Note that neither Mp 
nor Tp need to involve n, i.e., the algorithms executed by the processes may be uniform with respect to 
the network size n. 

The evolving nature of the network topology is modeled as an infinite sequence of simple directed 
graphs g^,g'^,..., which is determined by an omniscient message adversary [1,49] that has access to the 
processes’ states. 

Definition 1 (Communication graphs). For eaeh round r, the round r communication graph = 
(y,E^) is a simple directed graph with node set V = 11 and edge set C {{p ^ q)'- p,q p G V}, 
where (p ^ q) G E^ iff q successfully reeeives p’s round r message (in round r). The set Afg denotes q’s 
in-neighbors in Q'" (exeluding q). 

Note that we will sloppily write {p ^ q) G G’’ to denote {p ^ q) G E’’, as well as p G G'' to denote 
p£V = n. 

Fig. 1 shows a sequence of communication graphs for a network of 5 processes, for rounds 1 to 3. For 
deterministic algorithms, a run is completely determined by the initial states of the processes and the 
sequence of communication graphs. We emphasize that p does not have any a priori knowledge of its 
neighbors, i.e., p does not know who receives its round r message, and does not know who it will receive 
from in round r before its round r computation. 

Since every G^ can range arbitrarily from n isolated nodes to a fully connected graph, there is no 
hope to solve any non-trivial agreement problem without restricting the power of the adversary to drop 
messages® to some extent. Inspired by [49], we encapsulate a particular restriction, e.g., that every 
communication graph must be strongly connected, by means of a particular message adversary. Note 
that Def. 2 generalizes the notation introduced in [1], which just specified the set of communciation 
graphs the adversary may choose from in every round, to sets of sequences of communication graphs. 

Definition 2 (Message adversary) . A message adversary Adv (for our system 11 of n processors) 
is a set of sequences of communication graphs {G’')r>o- ^ particular sequence of communication graphs 
(A’')r>o is feasible for Adv, if (A’')r>o G Adv. 

Informally, we say that some message adversary Adv guarantees some property, called a network assump¬ 
tion, if every {G’')r>o G Adv satisfies this property. 

For our system 77 of n processes, this introduces a natural partial order of message adversaries, where 
A is weaker than B (denoted A ^ 77) iff A C 77, i.e., if it can generate at most the communication graph 
sequences of 77. As a consequence, an algorithm that works correctly under message adversary 77 will 
also work under A. 

3.1 Consensus and fc-set agreement 

To formally introduce the consensus and fc-set agreement problem studied in this paper, we assume some 
finite set V and consider the set of possible initial states §p (of process p) to be partitioned into |V] 

® Even though the adversary can only affect communication in our model, it is also possible to model classic send 
and/or receive omission process failures [47] (and thereby also crash failures): A process that is send/receive 
omission faulty in round r has no outgoing/incoming edges to/from some other processes in G’". 
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subsets §p[u], with u e V. When p starts in a state in Sp[u], we say that v is p's input value, denoted 
Xp = V. Moreover, we assume that, for each u G V, there is a set Vplv] C Bp of decided states such that 
'Dp[v\ n 2?p[w] = 0 if u 7 ^ w and 'Dp[w\ is closed under p's transition function, i.e., Tp maps every state 
in this subset to this subset (for all possible sets Pp of received messages). We say that p has decided on 
the output value (also called decision value) u, denoted pp = v, when it is in some state in 2?p[u]. When 
p performs a transition from a state outside of the set of decided states to the set of decided states, we 
say that p decides. 

Definition 3 (Consensus). Algorithm A solves consensus, if the following properties hold in every run 
of A: 

(Agreement) If process p decides on Pp and q decides on pq, then Pp = Pq. 

(Validity) If pi = v, then v is some pj's initial value Xj. 

(Termination) Every process must eventually decide. 

For the k-set agreement problem [17], we assume that both jVj > k and n > k to rule out trivial 
solutions. 

Definition 4 (fc-set agreement). Algorithm A solves k-set agreement, if the following properties hold 
in every run of A: 

(k-Agreement) At most k different decision values are obtained system-wide in any run. 

(Validity) If pi = v, then v is some pj’s initial value Xj. 

(Termination) Every process must eventually decide. 

Clearly, consensus is the special case of 1-set agreement; set agreement is a short-hand for n — 1-set 
agreement. 

A consensus or k-set agreement algorithm is called uniform, if it does not have any a priori knowledge 
of the network (and hence of n). A fc-set agreement algorithm is called k-uniform, if it does not require 
a priori knowledge of k. 


3.2 Basic network properties: Vertex-stable root components 

We will now define the cornerstones of the message adversaries used in our paper, which culminate in 
Def. 9 and Def. 10. Message adversaries such as VSRC(d) (Def. 12) and VSRC(fc, d) (Def. 15) will be de¬ 
fined implicitly, by defining the properties of the sequences of feasible communication graphs. Informally, 
most of those will rest on the pivotal concept of root components, which are strongly connected com¬ 
ponents in Q''' without incoming edges from processes outside the component. Our message adversaries 
will be required to eventually guarantee root components that are vertex-stable, i.e., to consist of the 
same set of nodes (with possibly varying interconnect) during a sufficiently large number of consecutive 
rounds. Vertex-stability will eventually guarantee that all members can receive information from each 
other. 

Definition 5 (Root Component). A root component i?’’, with non-empty set of vertices RC 11, is a 
strongly connected component (SCO) in O'" that has no incoming edges from other components, formally 
Vp € ,yq G : (q p) £ ^ q G RV 

By contracting SCCs, it is easy to see that every weakly connected directed simple graph Q has at least 
one root component, see Lem. 6. Hence, if g has k root components, it has at most k weakly connected 
components (with disjoint root components, but possibly overlapping in the remaining processes). 

Definition 6 (Vertex-Stable Root Component). A sequence of consecutive rounds with communi¬ 
cation graphs g^ for x £ I = [a, b], b ^ a, contains an J-vertex-stable root component R^, if, for x £ I, 
every contains a root component with the same set of nodes R (but possibly varying interconnection 
topology). 
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We will abbreviate as an /-VSRC or |/|-VSRC if only the length of / matters, and sometimes denote an 
/-VSRC by its vertex set i? if / is clear from the context. Note carefully that we assume |/| = b — a+1 
here, since I = [a, h] ranges from the beginning of round a to the end of round 5; hence, / = [r, r] is not 
empty but rather represents round r. 

The most important property of a VSRC R^ is that information is guaranteed to spread to all its 
vertices R if the interval I is large enough, as proved in Lem. 4 below. To express this formally, we need 
a few basic definitions and lemmas. 

Similarly to the classic “happened-before” relation [40], we say that a process p causally influences q 
in round r, denoted by {p'^ q), iff either (i) q has an incoming edge {p —^ q) from p in 0’’, or (ii) ii q = p, 
i.e., we assume that p always influences itself in a round. Given a sequence of communication graphs 
, we say that there is an causal influence chain of length fc ^ 1 starting from p in round r to 

q, denoted by (p ^ q), if there exists a sequence of not necessarily distinct processes p = po,... ,Pfc = q 
such that Pi pi+i for 0 ^ f < fc. If fc is irrelevant, we just write (p ^ q) or just (p ^ q) and say that 
p (in round r) causally influences q. This allows us to define the notion of a dynamic causal distance 
between processes as given in Def. 7. 

Definition 7 (Dynamic causal distance). Given a sequence of communication graphs Q'', ^, 

the dynamic causal distance cdJ'{p, q) from process p (in round r) to process q is the length of the shortest 

causal influence chain starting in p in round r and ending in q, formally cd^{p, q) := min{k: (p q)}. 
We define cdJ'{p,p) = 1 and cdJ'{p, q) = oo if p never influences q after round r. 

Note that, in contrast to the similar notion of dynamic distance defined in [38], the dynamic causal 
distance in our directed graphs is not necessarily symmetric: If the adversary chooses the graphs S'" such 
that not all processes are strongly connected, the causal distance between two processes can even be 
finite in one and infinite in the other direction. In fact, even if is strongly connected for round r (but 
not for rounds r' > r), cd’’(p,q) can be inhnite. However, the following Lem. 1 shows that the causal 
distance in successive rounds cannot arbitrarily decrease. 

Lemma 1. Given a sequence of communication graphs G'', ■ ■ ■, for every two processes p,q £ II it 

holds that c6l~^^{p,q) ^ c6l{p,q) — As a consequence, if cdl{p,q) = oo, then also cW~^^{p,q) = oo. 

Proof. Since (p p) in every round r, the definition of dynamic causal distance trivially implies 
cW{p,q) ^1 +cW+^{p,q). □ 

Analogous to the dynamic diameter defined for undirected communication graphs in [38], we now 
dehne the dynamic causal diameter 0^{R^) for round a; in a /-VSRC R^ as the largest round x dynamic 
causal distance cd^{p, q) between any pair of processes p,q £ R: 

Definition 8 (Dynamic causal diameter). Given a sequence of communication graphs G'', , 

let I = [a, b], r ^ a b, be a nonempty interval of indices in this sequence.^ Assume that the subsequence 
of communication graphs G^ for x £ I contains an I-VSRC R^ with node set R. Then, the dynamic 
causal diameter of R^ for round x is defined as 0^{R^) := maxp ^q(zR{cd^{p,q)}. 

Obviously, it may be the case that 0^{R^) = oo in general. However, if j/j is sufficiently large, the 
following Lem. 2 reveals that 0^{R^) < oo. 

Lemma 2 (Bound on dynamic causal diameter). Given some I = [a, 6] and a VSRC R^ with 
[/?] fi2,ifb^a+\R\-2, thenVx£ [a,b - \R\ + 2]: 0^(R^) sf iRj - 1. 

Proof. Fix some process p £ R and some x where a ^ x ^ b — \R\-£ 2. Let Vo = {p}, and define for each 
i > 0 the set Vi = Vi-i U {q : 3q' £ Vi-i : q' £ fl R}. Vi is hence the set of processes q £ R 

such that (p g) holds. Using induction, we will show that jT^fc] ^ min{j/?|, fc -|- 1} for A: ^ 0. Induction 
base fc = 0: [T’ol ^ min{|i?j, 1} = 1 follows immediately from Vo = {p}- Induction step fc —> /c -I- 1, fc ^ 0: 
Clearly the result holds if J'Pfc] = [/?], thus we consider round x k and J'Pfc] < [/?]: It follows from 

® Note that we will implicitly assume that this sentence holds true in the sequel when we write something like 
“there is an interval I = [a, b] with a VSRC R^”. 



strong connectivity of 5^+^ fl R that there is a set of edges from processes in Vk to some non-empty set 
-Cfc C R\'Pk- Hence, we have Vk+i = Vk^ C-k, which implies \'Pk+i\ ^ \'Pk\ + l^k + l + l = k + 2 = 
min{|i?|, fc -I- 2} by the induction hypothesis. 

Thus, in order to guarantee R = Vk and thus |i?| = \Vk\, choosing k such that |i?| = 1 -I- A: and 
k^b — x + 1 is sufficient. Since b ^ x + \R\ — 2, both conditions can be fulfilled by choosing k = |i?| — 1. 
Moreover, due to the definition of Vk, it follows that cd^{p,q) ^ |i?| — 1 for all q G R. Since this holds 
for any p and any a; ^ s — |i?| -I- 2, the statement of Lem. 2 follows. □ 

Lem. 2 thus implies that information available at any node p G R aX the beginning of round x G 
[a, 6 — |i?| -I- 2] has spread to all other nodes in R by the end of round b, i.e., during I. On the other hand, 
it may be the case for some particular VSRC R^ with |/| < |i?| — 1 that the information available at the 
beginning of some round x G I has already spread to all other nodes in R by the end of round b. Lem. 3 
reveals that this implies that the information available at any round x' G [r, x\ has also been spread to 
all nodes in R by the end of round b. 

Lemma 3 (Information propagation). Suppose that R^ for I = [a, &] is an I-VSRC of size |i?| ^ 2, 
such that there is some x G [a, &] with x + 0^{R^) — 1 ^ Then, for every x' G [a,x], it holds that 
x' + 0^\R^) - 1 < 6. 

Proof. Lem. 1 reveals that for all p,q G R^ , we have a; — 1 -I- cd^“^(p, g) — 1 < x -I- cd^(p, q) — 1 ^ s, 
which implies x' -I- cd^ (p,q) — 1 ^ s for every x' where r ^ x' ^ x and proves our lemma. □ 

Conversely, assume that some particular VSRC R^ is such that information available at the beginning 
of round a reaches all members of R by the end of some round a + D — 1 < b, i.e., 0°‘{R^) ^ D for some 
D < \I\. Can we infer something about 0^{R^) for later rounds x > a in this case? In particular, will 
information available at the beginning of round b — D Ihe spread to all nodes by the end of round bl 
Unfortunately, in general, this is not the case, as the following simple example for I = [1,2] and |i?| = 3 
shows: If is the complete graph whereas Q'^ is a ring, 0^{R^) = D = 1, but information propagation 
starting at round 2 does not reach all other nodes by the end of of round 2. 

This stimulated the following Def. 9, which parameterizes the worst-case information propagation in 
a VSRC via a parameter D that represents its dynamic causal diameter. Informally, it guarantees that 
messages sent by any process in R, in any but the last D — 1 rounds of I, reach all members of R within 
/. 

Definition 9 (D-bounded /-VSRC). An I-vertex-stable root component R^ with I = [a, b] is D- 
bounded, with dynamic causal diameter D > 0, if either |/| < D or else Vx G [a,b — D 0^{R^) < 

D. 


Lem. 2 showed that every sufficiently long VSRC R^ is //-bounded for D ^ \R\ — 1; all sufficiently 
long VSRCs are hence necessarily in — l)-bounded. On the other hand, choosing some D < n — 1 can 
be used to force the message adversary to speed-up information propagation accordingly. For example, 
we show in Section 3.3 that certain expander graph topologies ensure D = C>(logn). 

To formalize information propagation from root components to the rest of the network, one has to 
account for the fact that a process q outside any root component may be reachable from multiple root 
components in general. Intuitively speaking, this models dynamic networks that do not “cleanly” parti¬ 
tion. Given a sequence of communication graphs t/”, ... containing a set = {R {,..., i?^} of / > 1 

/-VSRCs, all vertex-stable in the same interval / = [a, 6], let the round x dynamic network causal diame¬ 
ter h^ be the maximum, taken over all processes q G U, oi the minimal dynamic causal distance cd^{p, q) 
from some processp G Ui=i round x, formally h^{S^) := uiaxg^n{aamp^^Je_^Jf^.{cd^{p, (?)}}. Def. 10 
will be used in the sequel to guarantee that every process in the network receives a message from some 
member of at least one VSRC in = {R{,..., Rj} within H rounds if |/| ^ H. 

That is, by convention, we also call a VSRC //-bounded that is too short to be interesting. Obviously, such a 
VSRC need not guarantee information propagation within D rounds. Note that it would actually be possible 
to write |/| ^ D here, as our algorithms do not even consider //-VSRCs as interesting; we chose the present 
definition for consistency with Def. 10 for //-network-bounded VSRCs, however. 
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Definition 10 (i7-network-bounded /-VSRC). A set = {i?(, ..., of £ ^ 1 I-VSRCs with 
I = [a, b] is H-network-bounded, with dynamic network causal diameter H > 0, if either |/| < H or else 
G [a,b — H -\- 1] : h^{S^) < H. 

Note that Def. 10 guarantees {p q) for at least one but not for all p G Ri. Moreover, p (and hence 
Ri) may be different for different starting rounds x in I. 

A comparison of Def. 10 and Def. 9 reveals that it always holds that H ^ D. Moreover, in the case 
I = \ (where contains a single root component R^ only), Def. 10 is exactly Def. 9 with the dynamic 
causal diameter 0^{R^) replaced by the dynamic network causal diameter h^{S^) =: h^{R^). Finally, 
analogous to Lem. 2, the following Lem. 4 shows that the dynamic network causal diameter H is bounded 
by n — 1, provided b — a ^ n — 2. 

Lemma 4 (Bound on dynamic network causal diameter). Suppose there is some interval I = [a, b] 

where there is a set = {Ri, ■ ■. ,Rj} of exactly £^ 1 I-vertex-stable root components. Ifb^a-\-n — 2 
and n ^ 2, then is n — 1-network bounded. 

Proof. Let Pq = Ui=i fix any x where a ^ x < 6 — n + 2. Define, for each z > 0, the set 

Pi = Pi-i U {q : 3q' G Pt-i : q' G Pi is hence the set of processes q such that {p ^ q) holds 

for at least one p G Pq. Using induction, we will show that \Pk\ ^ mm{n,k + 1} for fc ^ 0. Induction 
start k = 0 : |Po| ^ minjn, 1} = 1 follows immediately from Pq A {pi,... with £^ 1. Induction step 
k ^ k -\- l,k 0: First assume that already \Pk\ = n; since lUfc+il ^ \Pk\ = n ^ minjn, k + 2}, we are 
done. Otherwise, consider round x -\- k and \Pk\ < n: Since every node g G 7T is in a weakly connected 
component containing at least one root in every round, hence also in there is a set of edges from 

processes in Pk to some non-empty set Lk Q 11 \ Pk. Hence, we have Pk+i = Pk k) Lk, which implies 
|Pfe+i| ^ |Pfc| + l^fc+l + l = ^ + 2 = min{n, fc -|- 2} by the induction hypothesis. Thus, in order to 
guarantee 11 = Pk and thus n = \Pk\, choosing k such that n = l-\- k and — a;-|-lis sufficient. Since 
b ^ X -\- n — 2, both conditions can be fulfilled by choosing k = n — 1. Moreover, due to the definition of 
Pk, it follows that for all g G iT there is some p & Pq with cd^{p, q) < n — 1, implying h^ < n — 1. Since 
this holds for any x ^ b — n -\- 2 following Def. 10, this implies Lem. 4. □ 

3.3 An example for H < n — 1: Expander topologies 

We conclude this section with an example of a network topology that guarantees a dynamic causal 
network diameter PI that is much smaller than n—1, which justifies why we introduced this parameter 
(as well as D) explicitly in our model. 

An undirected graph Q is an a-vertex expander if, for all sets S C V(Q) of size < \V{Q)\/2, it holds 
that > a, where N(S) is the set of neighbors of S in Q, i.e., those nodes in V{G) \ S that have a 

neighbor in S. (Explicit expander constructions can be found in [31].) As we need an expander property 
for directed communication graphs, we consider, for a vertex/process set S and a round r, both the set 
Af+{S) of nodes outside of S that are reachable from S and the set of nodes Aff{S) that can reach S 
in r. Def. 11 ensures an expansion property both for subsets S chosen from root components (property 
(a)) and other processes (properties (b), (c)). 

Definition 11 (Directed Expander Topology). There is a fixed constant a and a fixed set R such 
that the following conditions hold for all sets S C V(G^): 

(a) If [S'! < |i?|/2 and SCR, then ^ a and ^ a. 

(h) If jS'l ^ n/2 and R C S, then ^ a. 

(c) If jS'l ^ n/2 and i? fl A = 0, then ^ a. 

The following Lem. 5 shows that (1) Def. 11 does not contradict the existence of a single root 
component and that (2) these expander topologies guarantee both a dynamic causal diameter D = 
O(logn) for /-VSRCs with |/| = O(logn) and a dynamic causal network diameter H = O(logn). 

Lemma 5. There are sequences of graphs (G^)r>o with a single root component in every G^ where 
Def. 11 holds and where, for any such run, there is an interval I during which there exists a D-bounded 
and H-network-hounded I-vertex stable root component with D = O(logn) and H — O(logn). 
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Proof. We will first argue that directed graphs with a single root exist that satisfy Def. 11. Consider the 
simple undirected graph U that is the union of an a-vertex expander on with member set R, and an 
a-vertex expander on V (G^). We turn U into a directed graph by replacing every edge (p, q) S E{U) with 
oriented directed edges p ^ q and q ^ p. This guarantees Properties (a)-(c). In order to guarantee the 
existence of exactly one root component, we drop all directed edges pointing to R^ from the remaining 
graph, i.e., we remove all edges p ^ q where p ^ R and q € R, which leaves Properties (a)-(c) intact and 
makes the R from Def. 11 the single root component of the graph. We stress that the actual topologies 
chosen by the adversary might be quite different from this construction, which merely serves us to show 
the existence of such graphs. 

We also recall that our message adversaries like the one given in Def. 12 will rely on vertex-stable 
root components R^, which only require that the set of its vertices R remain unchanged, whereas the 
interconnect topology can change arbitrarily. Adding Def. 11 does of course not change this fact. 

We will first show that the “per round” expander topology stipulated by Def. 11 is strong enough to 
guarantee that every sufficiently long VSRC is D-bounded with D = 0{\ogn). 

For z > 1, let Vi C R he the set of processes q in R^ with / = [a,b] and |/| = O(logrz) such that 


(p ^ q), and Vo = {p}- The result D = O(logn) follows immediately from Lem. 2 if |i?| € O(logn), so 
assume that |i?| S l7(logn) and consider some process p € R. For round a, Property (a) yields |'Pi| ^ 
|'Po|(l + a). In fact, for all i where \Vi\ < |A|/2, we can apply Property (a) to get |'Pi+i| ^ \Vi\{l + a), 
hence \Vi\ ^ min{(l-|-a)*, |i?|/2}. Let ^ be the smallest value such that {1+aY > |A|/2, which guarantees 


that \Vi\ > \R\/2. That is, £ = 


l°g(|fi|/2) 

log(l-l-a) 


€ O(logn). Now consider any q G R and define Qi-i C R as 


the set of nodes that causally influence the set Qi in round a -I- z, for Q 2 e+i = {<?}. Again, by Property 
(a), we get |Qi-i| ^ |Qi|(l + so \Q 2 k-i\ ^ max{(l -I- a)*, |i?|/2}. From the definition of i above, we 
thus have \Qi\ > |i?|/2. Since 0 , it follows that every p G R influences every q G R within 

2£ G O(logn) rounds. While the above proof has been applied to the starting round x = a only, it is 
evident that it carries over literally also for any x < s — 2£, which shows that R^ is indeed D-bounded. 

What remains to be shown is that iL-network-boundedness with H = O(logrz) also holds. We use 
Properties (b) and (c) similarly as in the above proof: For any round x G [r, s — 2k'], we know by (b) that 
any processp G R has influenced at least n/2 nodes by round x + k' where k' = [logi_|_„(n/2)] G O(logn) 
by arguing as for the Vi sets above. Now (c) allows us to reason along the same lines as for the sets Qi-i 
above. That is, any q in round x + 2k' will be influenced by at least n/2 nodes. Therefore, any p will 
influence every q G U hy round x 2k', which completes the proof. □ 


This confirms that sequences of communication graphs with D < n — 1 and H < n — 1 indeed exists 
and are compatible with message adversaries such as VSRC((i) stated in Def. 12 below. 


4 Consensus Impossibilities and Lower Bounds 

In this section, we will prove that some a priori knowledge of the dynamic network causal diameter and 
the existence of a stable interval of a certain minimal size are inevitable for soving consensus in our 
model. Moreover, we will introduce the message adversary VSRC((i), which will be shown in Section 5 
to be weak enough for solving consensus if c? = 2D + 2H -I- 2 ^ AH + 2, albeit it is too strong for solving 
other standard problems in dynamic networks like reliable broadcasting. 

Since consensus is trivially impossible for an unrestricted message adversary, which may just inhibit 
any communication in the system, we start from a message adversary that guarantees weakly connected 
communication graphs G"^ in every round r. However, it is not difficult to see that this not sufficient 
for solving consensus, even when all G'^ = G are the same, i.e., in a static topology: Consider the case 
where G contains two root components i?i and R 2 ', such a graph obviously exists, cp. Lem. 6 below. If 
all processes in i?i start with initial value 0 and all processes in R 2 start with initial value 1, they must 
decide on their own initial value and hence violate agreement. After all, no process in, say, Ri ever has 
an incoming link from any process not in Ri. 

We hence restrict our attention to message adversaries that guarantee a single root component in t?” 
for any round r. Fig. 1 showed a sequence of graphs where this is the case. Some simple properties of 
such graphs are asserted by Lem. 6. 
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Lemma 6. Any t/'’ contains at least one and at most n root components (isolated processes), which 
are all disjoint. If t/'’ contains a single root component , then Q'" is weakly connected, and there is a 
directed (out-going) path from every p € to every q € ■ 

Proof. We first show that every weakly connected directed simple graph Q has at least one root compo¬ 
nent. To see this, contract every SCC to a single vertex and remove all resulting self-loops. The resulting 
graph G' is a directed acyclic graph (DAG) (and of course still weakly connected), and hence G' has at 
least one vertex R (corresponding to some SCC in G) that has no incoming edges. By construction, any 
such vertex R corresponds to a root component in the original graph G. Since G'" has at least 1 and at 
most n weakly connected components, the first statement of our lemma follows. 

To prove the second statement, we use the observation that there is a directed path from m to u in 
G if and only if there is a directed path from the vertex Cu (containing u) to the vertex Cf (containing 
v) in the contracted graph G'. If there is only one root component in G, the above observations imply 
that there is exactly one vertex R in the contracted graph G' that has no incoming edges. Since G' is 
connected, R has a directed path to every other vertex in G', which implies that every process p G R has 
a directed path to every vertex q, as required. □ 

It follows from [8] that assuming a single root component makes consensus solvable if the root compo¬ 
nent is static. In this paper, we allow the root component to change throughout the run, i.e., the (single) 
root component R’’ of G'" might consist of a different set of processes in every round round r. However, 
it will turn out that a sufficiently long interval of vertex-stability is indispensable for solving consensus 
in this setting. In the sequel, we will consider the message adversary VSRC((i) stated in Def. 12, which 
implicitly enforces the dynamic network causal diameter H according to Def. 10 and is parameterized 
by some stability window duration d > 0. 

Definition 12 (Consensus message adversary VSRC((i)). The message adversary VSRC{d) is the 
set of all sequences of communication graphs {G'')r> 0 ) where 

(i) for every round r, G^ contains exactly one root component R’', 

(a) all vertex-stable root components occurring in any {G'')r>o are H-network-bounded, 

(Hi) for each {G^)r>o, there exists some rsT > 0 and an interval of rounds J = [rsT,rsT -f d — 1] with 
a H-network-bounded J-vertex-stable root component. 

Note that item (ii) has been added to the above definition solely for the sake of our consensus algorithm 
in Section 5. All the impossibility results and lower bounds in this section hold also when (ii) is dropped 
or replaced by something (like D-bounded VSRCs, as in Def. 15) that does not affect item (iii). 

First, we relate the message adversary in Def. 12 to the classification of [13]: Lem. 7 reveals that it 
is stronger than the weakest class that requests one node that eventually reaches all others, but weaker 
than the second class that requests one node that is reached by all. By contrast, models like [35,38] that 
assume bidirectionally connected graphs G^ in every round belong to the strongest classes (Class 10) 
in [13]. 

Lemma 7 (Properties of VSRC((i)). In every sequence (G^)r>o of communication graphs feasible for 
VSRC{d), 

(i) there is at least one process p such that cd^ {p,q) is finite for all q € II, and this causal distance is 
in fact at most n{n — 2) -|- 1. 

(ii) Conversely, forn > 2, the adversary can choose some sequence (G^)r>o where no process p is causally 
influenced by all other processes q, i.e., ^p \/q: cd^{q,p) < oo. 

Proof. Def. 12 guarantees that there is (at most) one root component i?’’ in every G'", r > 0. Since we 
have infinitely many graphs in {G^)r>o but only finitely many processes, there is at least one process p 
in i?’’ for infinitely many r. Let ri, r 2 , ... be this sequence of rounds. Moreover, let Vo = {p}, and define 
for each i > 0 the set Vi = Vi-i U {q : 3q' € Vi-i : q' € A/",*}. 

Using induction, we will show that |'Pfc| > min{n, fc -I- 1} for fc > 0. Consequently, by the end of 
round r„_i at latest, p will have causally influenced all processes in II. Induction base k = 0: \Vo\ ^ 
min{n, 1} = 1 follows immediately from Vo = {p}. Induction step k ^ k -\- 1, k 0: First assume that 
already \Vk\ = n ^ min{n,/c -I- 1}; since |Pfc+i| ^ \Vk\ = n min{n, fc -|- 1}, we are done. Otherwise, 
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consider round Vk+i and \Vk\ < n: Since p is in there is a path from p to any process q, in 

particular, to any process qin n\Vk^%- Let {v —> w) be an edge on such a path, such that v €Vk and 
w € n\'Pk- Clearly, the existence of this edge implies that v S and thus w € Vk+i- Since this 

implies iT’fc+il ^ \Vk \ + 1 >A: + l + l = fc + 2 = min{n, /c + 2} by the induction hypothesis, we are done. 

Finally, at most n{n — 2) + 1 rounds are needed until all processes q have been influenced by p, i.e., 
r„_i ^ n(n — 2) + 1: A pigeonhole argument reveals that at least one process p must have been in the 
root component for n — 1 times after so many rounds. After all, if every p appeared at most n — 2 times, 
we could fill up at most n(n — 2) rounds. By the above result, this is enough to secure that some p 
influenced every q. 

The converse statement (ii) follows directly from considering a static star, for example, i.e., a com¬ 
munication graph where there is one central process c, and for all r, = (7T, {(c q)\q € n \ {c}}). 
Clearly, c cannot be causally influenced by any other process, and qq^ q' for any q,q' ^ q G U \ {c}. 
On the other hand, this topology satisfy Def. 12, which includes the requirement of at most one root 
component per round. □ 

Next, we examine the solvability of several broadcast problems [35] under the message adversary of 
Def. 12, summarized in Theorem 1. Although there is a strong bond between some of these problems and 
consensus in traditional settings, they are not implementable under our assumptions—basically, because 
there is no guarantee of (eventual) bidirectional communication. 

Theorem 1. Under the message adversary VSRC(d) given in Def. 12, for any d, neither reliable broad¬ 
cast, atomic broadcast, nor causal-order broadcast can he implemented. Moreover, there is no algo¬ 
rithm that solves counting, fc-verification, fc-token dissemination, all-to-all token dissemination, and k- 
committee election. 

Proof. We first consider reliable broadcast, which requires that when a correct process broadcasts m, 
every correct process eventually delivers m. Suppose that the adversary chooses the communication 
graphs Vr : = {{p, q, s} , {{p —)■ q), {q —>■ s)}), which matches Def. 12. Clearly, g is a correct process 

in our model. Since p never receives a message from q, p can trivially never deliver a message that q 
broadcasts. 

For the token dissemination problems stated in [35], consider the same communication graphs and 
assume that there is a token that only s has. Since no other process ever receives a message from s, token 
dissemination is impossible. 

For counting, ^-verification, and fc-committee election, we return to the static star round graph 

= (77, {(c —>• g)|g G 77 \ {c}}) with central node c considered in the proof of Lem. 7. As the local 
history of any process is obviously independent of n here, it is impossible to solve any of these problems. 

□ 


4.1 Necessity of a priori knowledge of the dynamic network causal diameter 

We will now show that every correct solution for consensus, as well as for the related leader-election 
problem, requires some a priori knowledge of the dynamic network causal diameter of the communication 
graphs generated by the adversary. Recall that a uniform algorithm does not have any priori knowledge 
of the network, i.e., does not even know upper bounds for the dynamic network causal diameter 77 (and 
hence for n). 

Theorem 2 (Impossibility of uniform consensus). There is no uniform algorithm that can solve 
consensus under the message adversary VSRC(d) given in Def. 12, for any d. 

Proof. Assume for the sake of a contradiction that there is such a uniform algorithm A, w.l.o.g. for a set 
of input values V that contains 0 and 1. Consider a run ay of A on a communication graph Q that forms 
a (very large) static directed line rooted at process p and ending in process q. Process p has initial value 
V G [0,1], while all other processes have initial value 0. Clearly, the uniform algorithm A must allow p 
to decide on v by the end of round k, where k is a constant (independent of H and n; we assume that n 
is large enough to guarantee n — 1 > k). Next, consider a run /3„ of A that has the same initial states as 
ay, and communication graphs that, during rounds [1 ,k], are also the same as in ay (defining 

what happens after round k will be defered). In any case, since ay and fly are indistinguishable for p 
until its decision round k, it must also decide v in fy at the end of round k. 
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However, since n > k + 1, g has not been causally influenced by p by the end of round k. Hence, it 
has the same state both in /3„ and in Pi-y. As a consequence, it cannot have decided by round k: 
If q decided v, it would violate agreement with p in /3i_„. Now assume that runs f3v, (3i-v are actually 
such that the stable window occurs later than round k, i.e., rsr = k + 1, and that the adversary just 
reverses the direction of the line then: For all ^ + 1, g is the root and p is the last process of the 

resulting topology. Observe that the resulting /3„ still satisfies Def. 12, since g itself forms the only root 
component. Now, g must eventually decide on some value v' in some later round n', but since g has been 
in the same state at the end of round n in both /3„ and /3i-«, it is also in the same state in round k' in 
both runs. Hence, its decision contradicts the decision of p in □ 

We now use a more involved indistinguishability argument to show that a slightly weaker problem 
than consensus, namely, leader election is also impossible to solve uniformly under the message adversary 
VSRC(c?). The classic leader election problem (cf. [42]) assumes that, eventually, exactly one process 
irrevocably elects itself as leader (by entering a special elected state) and every other process elects 
itself as non-leader (by entering the NON-elected state). Non-leaders are not required to know the 
process id of the leader. 

Whereas it is easy to achieve leader election in our model when consensus is solveable, by just reaching 
consensus on the process ids in the system, the opposite is not true: Since the leader elected by some 
algorithm need not be in the root component that exists when consensus terminates, one cannot use the 
leader to disseminate a common value to all processes in order to solve consensus atop of leader election. 

Theorem 3 (Impossibility of uniform leader election). There is no uniform algorithm that can 
solve leader election under the message adversary VSRC{d) given in Def. 12, for any d. 

Proof. We assume that there is a uniform algorithm A that solves the problem. Consider the execution 
ayj{m) of A in a static unidirectional chain of m processes, headed by process p with id w: Since p has 
only a single out-going edge and does not know n, it cannot know whether it has neighbors at all. Since 
it might even be alone in the single-vertex graph consisting of p only, it must elect itself as leader in any 
ayj{m), m ^ 1, after some T^, rounds {Tyj may depend on w, however, as we do not restrict A to be 
time-bounded). 

Let w and z be two arbitrary different process ids, and let resp. be the termination times in 
the executions ^^(to) resp. az{m'), for any m, to'; let T = max{riu,Tz}. 

We now build a system consisting of n = 2r -|- 3 processes. To do so we assume a chain Qp oi T + \ 
processes headed by p (with id w) and ending in process t, a second chain Qg oi T + 1 processes headed 
by g (with id z) and ending in process s, and the process r. 

Now consider an execution /?, which proceeds as follows: For the first T rounds, the communication 
graph is the unidirectional ring created by connecting the above chains with edges (s —>■ p), (t —>■ r) and 
(r ^ g); its root component clearly is the entire ring. Starting from round T -|-1 on, process r forms the 
single vertex root component, which feeds, through edges (r g) and (r —>■ t) the two chains Gq and Gp, 
with Gp being Gp with all edges reversed. Note that, from round T -|- 1 on, there is no edge connecting 
processes in Gp with those in Gq or vice versa. 

Let £ be the process that is elected leader in ft. We distinguish 2 cases: 

1. £ & Gq£> {r}, then consider the execution ftp that is exactly like /3, except that there is no edge 
(s —>■ p) during the first T rounds: p with id w is the single root component here. Clearly, for p, the 
execution j5p is indistinguishable from ayj{2T -\- 3) during the first ^ T rounds, so it must elect 
itself leader. However, since no process in Gq U {r} (including t = £) is causally influenced by p during 
the first T rounds, all processes in Gq U {r} have the same state after round T (and all later rounds) 
in Pp as in /3. Consequently, £ also elects itself leader in Pp as it does in P, which is a contradiction. 

2. On the other hand, if f G Gp, we consider the execution Pg, which is exactly like P, except that there 
is no edge (r —> g) during the first T rounds: g with id z is the single root component here. Clearly, 
for g, the execution Pg is indistinguishable from az{T + 1) (made up of the chain Gq) during the first 
Tz rounds, so it must elect itself leader. However, since no process t in C/p U {r} (including t = £) 
is causally influenced by g during the first T rounds, t has the same state after round T (and all 
later rounds) in Pg as in p. Consequently, £ also elects itself leader Pg as it does in P, which is again 
a contradiction. 

This completes the proof of Theorem 3. □ 
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4.2 Impossibility of consensus with too short stability intervals 

The goal of this section is to show that root components must be vertex-stable sufficiently long for 
solving consensus in our model. In essence, what is needed for this purpose is that every member of the 
set R of processes in R^ is able to reach the entire network. Recalling Def. 10, this requires |/| to be at 
least H and hence H in Def. 12. 

In order to show that VSRC(i7) is indeed necessary in our setting, we will now consider a stronger 
message adversary VSRC’(i/ — 1) given in Def. 14 below: It is stronger than VSRC(i4) as its stability 
interval is shorter, but still slightly weaker than VSRC(i4 — 1), in that it also guarantees one process 
to be reached from the processes in R within H rounds, despite the too short stability interval I. Note 
carefully that, since there is only one such process, it would be reached if |/| was actually H. This 
property is formally captured by almost H — 1-network-bounded VSRCs introduced in Def. 13, which is 
slightly weaker than Def. 10 in that /-VSRC’s with |/| = — 1 are no longer arbitrary. 

Definition 13 (Almost H — 1-bounded /-VSRC). An I-vertex-stable root component R^ with I = 
[a, b] is almost 1-network-bounded, with dynamic network causal diameter H > 0, if either |/| < H—1 
or else\/x € [a, b—H-\-2] there exists a unique q € 11 with\/p G R : cd“(p, q) ^ H, while for all q' € 17\{q} 
we have Wp G R : cd®(p, q') ^ H — 1. 

Definition 14. The message adversary VSRCfH — 1) is the set of all sequences of communication 
graphs (Q^)r>o> where 

(i) for every round r, contains exactly one root component i?’’, 

(ii) all vertex-stable root components R^ occurring in any {Q^)r>o H-network-bounded, 

(Hi) for each (Q’')r>o, there exists some rsT > 0 and an interval of rounds J = [rgr, rsT -\- H — 2] with 
an almost H — 1-network-bounded J-vertex-stable root component. 

Note carefully that Def. 14 allows the message adversary to choose any communication graph sequence 
that is consistent with the conditions stated therein. In particular, VSRC’(il — 1) can choose a sequence 
of communication graphs that ensures a dynamic causal distance H between any specific p G R^ and q in 
a VSRC with \I\ = H — 1. Moreover, we have the following Lem. 8 that relates our message adversaries: 

Lemma 8. It holds that VSRC{H — 1) ^ VSRC’{H — 1) ^ VSRC{H), so that every sequence of com¬ 
munication graphs generated by the message adversary VSRC{H) is also feasible for VSRC’{H — 1). 

Proof. A comparison of Def. 14 and Def. 12 reveals that they differ only in item (iii). Since almost 
H — 1-network-bounded is slightly weaker than H-network-bounded, as the adversary needs to guarantee 
a network causal distance cd^ (p,q') of at most H — 1 from every p G i? to every q' ^ q in the former, 
VSRC(il — 1) ^ VSRC’(iL — 1) follows: After all, VSRC(il — 1) assumes a iJ-network-bounded VSRC. 
On the other hand, Def. 14 does not forbid the message adversary to generate a sequence of communi¬ 
cation graphs that adheres to Def. 12 with d = H, which also confirms VSRC’(iL — 1) ^ VSRC(iL) and 
completes our proof. □ 

We will now prove that the message adversary YSRCfH — 1), and hence by Lem. 8 also VSRC(iL — 1), 
is too strong for solving consensus: Processes can withold information from each other, which causes con¬ 
sensus to be impossible [52]. In order to simplify our proof, we assume that the adversary has to fix 
the start of J = [rsTHsT + H — 2] and the set of root members R in the eventually generated root 
component R'^ before the beginning of the execution (but given the initial values). Note that this does 
not strengthen the adversary, and hence does not weaken our impossibility result: For deterministic al¬ 
gorithms, the whole execution depends only on the initial values and the sequence of the l?’’’s, so the 
adversary could simulate the execution and determine every based on this. 

Lemma 9. Consider two runs of a consensus algorithm A under message adversary VSRCfH — 1), for 
some a priori fixed ,J = [rgr, i"st -\- H — 2] and set of processes R in R"^, which start from two univalent 
configurations C and C that differ only in the state of one process p at the beginning of round r. Then, 
C and C" cannot differ in valency. 
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Proof. The proof proceeds by assuming the contrary, i.e., that C and C" have different valency. We will 
then apply the same sequence of round graphs to extend the execution prefixes that led to C and C" 
to get two different runs e' and e". It sufhces to show that there is at least one process q that cannot 
distinguish e' from e": This implies that q will eventually decide on the same value in both executions, 
which contradicts the assumed different valency of C and C". 

Our choice of the round graphs depends on the following exhaustive cases: 

(i) For p ^ R, we let the adversary choose any root component consisting of the processes in R, for 
all s ^ r. Obviously, every process (i.e., we can choose any) q G R has the same state throughout e' 
and e". 

(ii) For p G R and r G J, we choose any root component i?® consisting of the processes in R for 
r < s < rsT + H — 2, and R^ = {g} for s > rsr + H — 2, where q is the process that does not hear 
from any process in R (and hence from p) within J according to Def. 13. Hence, q has the same state 
in e' and e", both during J and afterwards, where it is the single root. 

(hi) For p G R and r ^ J, we choose graphs t/® where i?® = {g} and p has only in-edges for r ^ s < rsT] 

q (satisfying q ^ R and hence q ^ p) is again the “distant” process allowed by Def. 13. From s = rsr 
on, we choose the same graphs t/® as in case (ii). It is again obvious that q has the same state 
throughout e' and e”, since p cannot communicate to any process before J and does not reach q 
within J. 

In any case, for process q, the sequence of states in the extensions starting from C" and C" is hence the 
same. Therefore, the two runs are indistinguishable for q, which cannot hence decide differently. This 
provides the required contradiction to the different valencies of C" and C”. □ 

The next Lem. 10 establishes connectedness of the successor graph of a configuration [52]. 

Lemma 10. For any two round r graphs Q' and Q", we can find a finite sequence of graphs G' ■ ■ - Gi ■ ■ ■ G", 

each with a single root component, where any two consecutive graphs differ only by at most one edge. We 
say that the configurations C resp. C" reached by applying G' resp. G" to the same configuration C are 
connected in this case. Moreover, our construction guarantees that if the root components of G' and G" 
consist of the same set of processes R' = R" = R, the same is true for all Gi ■ 

Proof. First, we consider two cases with respect to the members R' and R" of the respective root 
components: (a) R' fl R" = 0, (b) R' fl R" ^ 0. Moreover, for the second part of the proof, we also 
consider a special case of (b): (b’) R' = R". 

For case (b) (and thus also for (b’)), we consider Gi = G'. For case (a), we construct Gi from G' 
as follows: Let p' G R' and p" G R", then Gi has the same edges as G' plus a = [p" -G p'), thus 
i?i D i?' U {p"} (recall that p" must be reachable from R' already in G'). So, now we have that in both 
cases G' and Gi differ in at most one edge. Moreover, there is a nonempty intersection between i?i and 
R". 

In the first phase of our construction (which continues as long as E" \Ei %), we construct Gi+i 
from Gi, i ^ 1, by choosing one edge e = {v ^ w) from E" \ Ei and let Gi+i have the same edges as 
Gi plus e. Clearly, Gi and Gi+i differ in at most one edge. Moreover, when adding an edge, we cannot 
add an additional root component, so as long as we add edges we will have that Gi+i has a single root 
component Ri+i D R'. 

When we reach a point in our construction where E" \ Ei = %, the first phase ends. As Gi now 
contains all the edges in G", i.e., Ei D E”, we have Ri D R". In the second phase of the construction, we 
remove edges. To this end, we choose one edge e = (v ^ w) from Ei \ E”, and construct Gi+i from Gi 
by removing e. Again we have to show that there is only one root component. Since we never remove an 
edge in E", Gi always contains a directed path from some x G R" to both v and w that only uses edges 
in E". As e ^ E", this also holds for Gi+i- Since there is only one root component in G", this implies 
that there is only one in Gi+i- 

Let Gj be the last graph constructed in the first phase, and Gk the last graph constructed in the 
second phase. It is easy to see that E^ = Ej \ {Ej \ E”), which implies that Ek = E" and hence Gk = E". 
This completes the proof of the first part of our lemma. 

To see that the second part also holds, we consider case (b’) in more detail and show by induction 
that Ri+i = Ri = R. For the base case, we recall that Gi = G' and thus R\ = R!. For the induction step, 
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we consider first that the step involves adding an edge e= (v ^ w) (phase 1): Adding an edge can only 
modify the root component when v ^ Ri and w € Ri- Since such an edge e is not in E” (as it has the 
same root component as E'), we cannot select it for addition, so the root component does not change. 

If, on the other hand, the step from Qi to Qi+i involves removing the edge e = (v ^ w) (phase 2), we 
only need to consider the case where v G Ri- (If f ^ i?i, then also w ^ Ri so the root component cannot 
change by removing e.) But since we never remove edges from E", this implies that even after removing 
e there is still a path from v to w, so the root component cannot have changed. □ 

The proof of the following impossibility result follows roughly along the lines of the proof of [52, 
Lemma 3]. It shows, by means of induction on the round number, that a consensus algorithm A cannot 
reach a univalent conhguration after any finite number of rounds. 

Theorem 4 (Impossibility of consensus under VSRC(iL — 1)). There is no algorithm that solves 
consensus under the message adversary VSRC\H — 1), and hence none under VSRC{H — 1). 

Proof. We follow roughly along the lines of the proof of [52, Lemma 3] and show per induction on the 
round number, that no algorithm A can reach a univalent conhguration by round r, for any r > 0. 
Since no process can have decided in a bivalent conhguration, this violates the termination property of 
consensus. 

For the base case, we consider binary consensus only and argue similar to [25] but make use of our 
stronger validity property: Let C® be the initial conhguration, where the processes with the x smallest 
ids start with I and all others with 0. Clearly, in Cq all processes start with 0 and in C° all start with I, 
so the two conhgurations are 0- and I-valent, respectively. To see that for some x must be bivalent, 
consider that this is not the case, then there must be a Cf. that is 0-valent while is 1-valent. But, 
these conhgurations differ only in Px+l^ so by Lem. 9 they cannot be univalent with different valency. 

For the induction step we assume that there is a bivalent conhguration C at the beginning of round 
r — 1, and show that there is at least one such conhguration at the beginning of round r. We proceed by 
contradiction and assume all conhgurations at the beginning of round r are univalent. Since C is bivalent 
and all conhgurations at the beginning of r are univalent, there must be two conhgurations C and C" 
at the beginning of round r which have different valency. Clearly, C and C” are reached from C by two 
different round r — 1 graphs Q' = {U, E') and Q" = (77, E"). Lem. 10 shows that there is a sequence of 
graphs such that C and C" are connected. Each pair of subsequent graphs in this sequence differs only 
in one link (u —>■ w), such that the resulting conhgurations differ only in the state of w. Moreover, if the 
root component in Q' and Q" is the same, all graphs in the sequence also have the same root component. 
Since the valency of C and C" was assumed to be different, there must be two conhgurations C and 
C in the corresponding sequence of conhgurations that have different valency and differ only in the 
state of one process, say p. Applying Lem. 9 to C and C again produces a contradiction, and so not 
all successors of C can be univalent. 

We have hence established that VSRC’(77 — I) is too strong for consensus, which implies the same 
for VSRC(77 — I) according to Lem. 8. □ 

5 A Consensus Algorithm for VSRC(2iD + 2H + 2) 

In this section, we show that it is possible to solve consensus under the message adversary VSRC(277 + 277 + 2) 
given in Def. 12. 

The underlying idea of our consensus algorithm is to use hooding to propagate the largest input value 
to everyone. However, as Def. 12 does not guarantee bidirectional communication between every pair of 
processes according to Lem. 7, hooding is not sufficient: The largest input value could be hidden at a 
single process p that never has outgoing edges. If such a leaf process p would never accept smaller values, 
it is impossible to reach agreement (without potentially violating validity). Thus, we have to hnd a way 
to force p to accept also a smaller value. 

A well-known technique to do so is locking a candidate value. Obviously, we do not want a leaf process 
to lock its value, but rather some process(es) that will be able to impose their locked value, i.e., can 
successfully hood the system. In addition, we may allow processes that have successfully locked a value 
to decide only when they are sure that every other process has accepted their value as well. According 
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to Def. 10, both can be guaranteed when these processes have been in a vertex stable root component 
long enough— which is (amply) guaranteed by VSRC(2I1 + 2H + 2). 

The first major ingredient of our consensus algorithm is a network approximation algorithm (described 
in Section 5.1), which allows processes to detect their root membership in (past) rounds. The core of 
our consensus algorithm (presented in Section 5.2) then exploits this knowledge for reaching agreement 
on locked values and imposes the resulting value on all processes in the network. As we will see, the 
main complication comes from the fact that a process can detect whether it has been part of the root 
component of round r only with some latency. 

5.1 The Local Network Approximation Algorithm 

According to our system model, no process p has any initial knowledge of the network. In order to learn 
about VSRCs, for example, it hence needs to locally acquire such knowledge. Process p achieves this by 
means of Alg. 1, which maintains a network estimate Ap in a local variable .Ap is a graph that holds 
the local estimates of every communication graph Q'' that occurred so far, simply by labeling an edge 
{p —^ q) with the set of round numbers of every Q'' once p received evidence that (p q) was present in 
round r. 

Initially, Ap consists of process p only. In every round, every process p broadcasts its current Ap and 
fuses it with the network estimates received from its neighbors. In more detail, p updates Ap whenever 

{r} 

q € Afp, by adding {q p) ii q is p’s neighbour for the first time, or by updating the label of the edge 

{q p) to {q ^ p) (line 5 and line 7). Moreover, p also receives Ag from q and uses this information 

to update its own knowledge: The loop in line 9 ensures that p has an edge {v w) for each {v —>■ w) 
in Ag, where T is the set of rounds previously known to p. 

Given Ap, we use Ap\t with t ^ r to denote the current estimate of G* contained in Ap. Formally, 
Ap\t is the graph induced by the set of edges 

Ep\t = ^e = {v ^ w) I 3T D {t} : (v ^ w) € . 

As the information about g’s neighbors in G* might take many rounds to reach some process p (if it ever 
arrives at p), Ap\t may never be fully up-to-date, and as only reported edges are added to the estimate 
(but not all reports need to reachp), Ap\t will be an under-approximation of G*■ For example, a process p 
that does not have any incoming links from other processes, throughout the entire run of the algorithm, 
cannot learn anything about the remaining network, i.e., Ap will permanently be the singleton graph. 

Alg. I finally provides an externally callable function InStableRoot(/), which will be used by the 
core consensus consensus algorithm to find out whether the calling process p was member in an J-VSRC 
and to query the set of all members R. We will prove in Lem. 12 below that the latter is the case if 
Ap\t is strongly connected and consists of the same non-empty set R of processes for all t € /. Informally, 
this is due to the fact that the members of an /-VSRC will not be able to acquire knowledge of the 
topology outside R^ within I , as they do not have incoming links from outside. 

We start our analysis of Alg. 1 with Lem. 11, which shows that Ap\t underapproximates G* in a way 
that consistently includes neighborhoods. Its proof uses the trivial invariant asserting Ap\t = ({p}, 0 ) at 
the end of every round r < t. 

Lemma 11. If Ap\t eontains {v —> w) at the end of some round r, then (i) (v —>■ ru) € G*", be., Ap\t C G^ , 
and (ii) Ap\t also contains {v' —>■ w) for every v' € Af^ Q G*■ 

Proof. We first consider the case where r < t, then at the end of round r Ap\t is empty, i.e., there are 
no edges in Ap\t. As the precondition of the Lemma’s statement is false, the statement is true. 

For the case where r ^ t, we proceed by induction on r: 

We denote the value of a variable v of process p in round r before the round r computation finishes as 
Vp G Sp G §p; we usually suppress the superscript when it refers to the current round. 

To simplify the presentation, we have refrained from purging outdated information from the network approx¬ 
imation graph. Actually, our consensus algorithm only queries InStableRoot for intervals that span at most 
the last 2H + 1 rounds, i.e., any older information could safely be removed from the approximation graph, 
resulting in a message complexity that is polynomial in n. 
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Algorithm 1 Local Network Approximation (Process Pi) 

Provides externally callable function InStableRoot(). 

Variables and Initialization: 

1: Ap^ ~ {Npi,Ep^) initially ({pi},0) // weighted digraph without multi-edges and loops 
Emit round r messages: 

2: send {Ap ^) to all current neighbors 
Round r: computation: 

3: for q € Afp. and q sent message {Aq) in r do 

4: if 3 edge e = {q ^ pi) € Ep^ then 

5: replace e with {q ^ pi) in Ep^ where T' •<— T U {r} 

6: else 

7: add e := {q ^ pi) to Ep^ 

8: Np^ ^— Npj^ U Vq 

9: for every pair of nodes {v, w) £ Vp^ x Vp^, v A w do 

10: if T' = U {-S' I 3g € : (v 4 w) £ Eq| / 0 then 

T TUT' T' 

11: replace {v w) in Ep^ with (v —>■ w); add {v —> w) if no such edge exists 

12: function InStableRoot(7) 

13: Let Ap^\t be induced graph of {(u 4 w) G Ep. | t £ t| 

14: Let Cpjt be Ap^\t if it is strongly connected, or the empty graph otherwise. 

15: if Vti,t2 -Cp, ■- V{Cp,\ti) = V{Cp,\t2) A 0 then 

16: return Cp^ 

17: else 

18: return 0 

Induction base r = t: If Ap\t contains {v —>■ w) at the end of round r = t, it follows from Aq\t = {{ 9 }, 0) 
at the end of every round r < t, for every q G 11, that w = p, since p is the only processor that can have 
added this edge to its graph approximation. Clearly, it did so only when v G A/^, i.e., {v ^ w) G Q* , and 
included also {v' -G w) for every v' G N* on that occasion. This confirms (i) and (ii). 

Induction step r^r-|-l,r^t: Assume, as our induction hypothesis, that (i) and (ii) hold for any 
Aq\t at the end of round r, in particular, for every q G . If indeed (v -G w) in Ap\t at the end of 
round r 3- 1, it must be contained in the union of round r approximations 

U = {Ap\t)ul U Aq\t 

\<]£n;+^ 

and hence in some Ai\t {i = q or i = p) at the end of round r. Note that the edges (labeled r 3- 1) added 
in round r 3- 1 to Ap are irrelevant for Ap\t here, since t < r 3- 1. 

Consequently, by the induction hypothesis, {v ^ w) G G*, thereby confirming (i). As for (ii), the 
induction hypothesis also implies that (n' —>■ w) is also in this Ai\t. Hence, every such edge must be in 
U and hence in Ap\t at the end of round r 3- 1 as asserted. □ 

The following Lem. 12 shows that locally detecting Ap\t to be strongly connected (in line 14 of 
Alg. 1) implies that p is in the root component of round t. This result rests on the fact that Ap\t 
underapproximates G* (Lem. 11.(i)), but does so in a way that never omits an in-edge at any process 
q G Ap\t (Lem. 11.(ii)). 

Lemma 12. If the graph Cp\t (line I 4 ) with t < r is non-empty in round r, then p is member of , 
i.e., p G R. 

Proof. For a contradiction, assume that Cp\t is non-empty (hence Ap\t is an SCC by line 14), but p ^ R. 
Since p is always included in any Ap by construction and Ap\t underapproximates G* by Lem. 11.(i), this 
implies that Ap\t cannot be the root component of G*■ Rather, Ap\t must contain some process w that 
has an in-edge (v —>■ w) in C/* that is not present in Ap\t. As w and hence some edge (g 4 w) is contained 
in Ap\t, because it is an SCC, Lem. 11.(ii) reveals that this is impossible. □ 
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From the definition of the function InStableRoot(/) in Alg. 1 and Lem. 12, we get the following 
Corollary 1. 

Corollary 1. If the function InStableRoot(/) evaluates to tb at process p in round r, then Vx € / 
where x < r, it holds that p is a member of , i.e., p € R. 

The following Lem. 13 proves that, in a sufficiently long / = [a, b] with a /-vertex-stable root compo¬ 
nent R^, every member p of R^ detects an SCC for round a (i.e., Cpla ^ 0) with a latency of at most D 
rounds (i.e., at the end of round a + D). Informally speaking, together with Lem. 12, it asserts that if 
there is an /-vertex-stable root component R^ for a sufficiently long interval I, then a process p observes 
Cp\a^% from the end of round a + D on p & R. 

Lemma 13. Consider an interval of rounds I = [a, 6], such that there is a D-bounded I-vertex-stable 
root component R^ and assume |/| = 6 — a -I- 1 > D. Then, from the end of round a -\- D onwards, we 
have Cp\a = R^, for every process in p £ R^. 

Proof. Consider any q S R^. At the beginning of round a-\-l, q has an edge {q' ^ q) in its approximation 
graph Ag with a G T iS q' G Aff. Since processes always merge all graph information from other processes 
into their own graph approximation, it follows from the definition of a H-bounded /-vertex-stable root 
component (Def. 9) in conjunction with the fact that a-|-l ^ b — D 1 that every p G R^ has these 
in-edges of q in its graph approximation by the end of round a -I- 1 -f H — 1. Since R^ is a vertex-stable 
root-component, it is strongly connected without in-edges from processes outside R^. Hence Cpla = R^ 
from the end of round a D on, as asserted. 

This immediately gives us the following Corollary 2, which ensures that in a sufficiently long I- 
VSRC R^, with / = [a, 5] and member set R, every p G R detects its membership in the J-VSRC R'^, 
J = [a, b — D] Cl, with a latency of at most D rounds. 

Corollary 2. Consider an interval of rounds I = [a, b], with |/| = 6 — a -I-1 > H, such that there is a D- 
bounded vertex-stable root component R^. Then, from the end of round b on, a call to InStableRoot([a, b— 
D]) returns R at every process in R. 

Together, Corollaries 1 and 2 reveal that InStableRoot(.) precisely characterizes the caller’s actual 
membership in the [a, b — DJ-VSRC R^ in the communication graphs from the end of round b on. 

5.2 Core consensus algorithm for VSRC(2Z) + 2H + 2) 

As explained in Section 5, the core consensus algorithm stated in Alg. 2 builds upon the network 
approximation algorithm given as Alg. 1: Relying on Corollary 1, every process uses InStableRoot 
provided by Alg. 1 to detect whether it has been in the vertex-stable root component of some past 
round(s). Since Corollary 2 reveals that InStableRoot has a latency of up to ^ iL rounds for reliably 
detecting that a process is in the vertex-stable root component of some (interval of) rounds, our algorithm 
(conservatively) looks back D rounds in the past when locking a value. 

In more detail, Alg. 2 proceeds as follows: Initially, no process has locked a value, that is, lockedp = 
FALSE and lockRoundp = 0. Processes try to detect whether they are privileged by evaluating the 
condition in line 15. When this condition is true in some round £, they lock the current value (by setting 
lockedp = TRUE and lockRound to the current round), unless lockedp is already true. Note that our 
locking mechanism does not actually protect the value against being overwritten by a larger value being 
also locked in t, it locks out only those values that have older locks I < £. 

When the process m that had the largest value in the root component of round £ detects that it has 
been in a vertex-stable root component in all rounds £ to £ -\- H (line 20), it can decide on its current 
value. As all other processes in that root component must have had m’s value imposed on them, they 
can decide as well. After deciding, a process stops participating in the flooding of locked values, but 
rather (line 6) floods the network with (decide, x). Since the stability window guaranteed by Def. 12 
with d = 2D -\- 2H -|- 2 is large enough to allow every process to receive this message, all processes will 
eventually decide. 

Before we turn our attention to the correctness proof of Alg. 2, we need to define how the network 
approximation algorithm and the core consensus algorithm are combined to form a joint algorithm in our 
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Algorithm 2 Solving Consensus; code for process pi 
1 : Simultaneously run Alg. 1. 

Variables and Initialization: 

2 : Xp^ G N, initially own input value 
3: lockedp^,decidedp^ € {false,true} initially false 
4: lockRoundp^ G Z initially 0 

Emit round r messages: 

5: if decidedp^ then 
6: send (decide, Xp^) to all neighbors 

7: else 

8: send {lockRcnindp^,Xp^) to all neighbors 

Round r computation: 

9: if not decidedp^ then 

10 : if received (decide, a:^) from any neighbor q then 

11 : ^Pi 1 ^9 

12: decide on Xp^ and set decidedp^ ■<— true 

13: else // pi only received {lockq,Xq) messages (if any): 

14: {lockRoundp^,Xp^) max{(iocfc^,a;,) | q G Afp. U {pi}} // lexical order in max 

15: if InStableRoot([r — D — l,r — D]) 7 ^ 0 then 

16: if (not lockedp.) then 

17: lockedp^ ■<— true 

18: lockRoundp. •<—r 

19: else 

20: if InStahleKoot{[lockRoundp^,lockRoundp^ + H]) 7 ^ 0 then 

21 : decide on Xp^ and set decidedp^ •<— true 

22: else // InStableRoot([r — D — 1, r — D]) returned 0 

23: focfeedp^ false 
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computation model. Informally, we assume that (i) the complete round r computing step of the network 
approximation algorithm is executed just before the round r computing step of the consensus algorithm, 
and that (ii) the round r message of the former is piggybacked on the round r message of the latter. 
Consequently, the round r computing step of the consensus core algorithm, which terminates round r, 
can already access the result of the round r computation of the network approximation algorithm, i.e., 
its state at the end of round r. Consequently, Corollaries 1 and 2 reveal that a call to InStableRoot(/) 
with I = [a,b — D] hy p in the transition function of round b (or later) returns ^ 0 precisely when a 
VSRC containing p existed. 

Formally, let be the set of states, message alphabet, transition function, and 

message sending function of the network approximation algorithm, with S^’’^ € §^, and 

denoting its state at the beginning of round r, the message sent in round r, and the set of messages 
received in round r. Analogously, let , S^’^, nip’^ and Pp’^ be the corresponding 

entities for the core consensus algorithm; note that §p CiSp = {Ap}, albeit the core consensus algorithm 
only reads (but never writes) the graph approximation Ap (when calling InStableRoot). 

For the joint algorithm, we define the joint state space as = §p USp and the joint message alphabet 
as X . We assume that there are projection functions tt^ : ^ resp. tt'" : ^ §p 

which, given can be used to obtain the corresponding Sp'^ = TT^{Sp''~) resp. 5'^’’' = tt'"(S'^’’'). 

The joint message sending function Mp : ^ just computes the pair of messages {nip''", nip''") 

via TUp''" = Mp{Sp''~) and nip''" = Mp{Sp'''). The joint transition function Tp : §p x —>• 

first applies to Sp’'' to compute (i) 5'^’’'+^ and (ii) an intermediate state 5'^’’’+ that is identical to 
Sp'"" except that Ap is replaced by the newly computed Ap+^. Tp is then applied to 5'^’’'+ to compute 
the state which finally results in 5'^’’'+^ = Sp''~~^^ U Sp''~~^^. All this happens atomically and 

instantaneously at the round switching time. 

Our correctness proof starts with the validity property of consensus according to Def. 3. 

Lemma 14 (Validity). Every decision value is the input value of some process. 

Proof. Processes decide either in line 12 or in line 21. When a process decides via the former case, it 
has received a (decide, Xq) message, which is sent by g iff g has decided on Xq in an earlier round. In 
order to prove validity, it is thus sufficient to show that processes can only decide on some process’ input 
value when they decide in line 21, where they decide on their current estimate Xp. Let the round of this 
decision be r. The estimate Xp is either p's initial value, or was updated in some round r' ^ r in line 14 
from a value received by way of one of its neighbors’ {lockRound, x) message. In order to send such a 
message, q must have had Xq = x aX the beginning of round r', which in turn means that Xq was either 
q's initial value, or q has updated Xq after receiving a message in some round Vq < r. By repeating this 
argument, we will eventually reach a process that sent its initial value, since no process can have updated 
its decision estimate prior to the first round. □ 

The following Lem. 15 states a number of properties maintained by our algorithm when the first 
process p has decided. Essentially, they say that there has been a vertex-stable root component in the 
interval I = [(. — D — 1,(1. + H] centered around the lock round ( (but not earlier), and asserts that all 
processes in that root component chose the same lock round (. 

Lemma 15. Suppose that process p decides in round r, no decisions occurred before r, and£ = lockRound'p, 
then 

(i) p is in the vertex-stable root component R^ with I = [( — D — 1,( H] and member set R, 

(ii) ( + H i^r i^( + H + D, 

(Hi) R 7 ^ R', where R' is the members set of the VSRC , and 

(iv) all processes in R executed line 18 in round £, and no process in n\R can have executed line 18 in 
a round ^ £. 

Proof. Item (i) follows since line 15 has been continuously true since round £ and from Lem. 12. As 
for item (ii), £ -\- H ^ r follows from the requirement of line 20, while r ^ £ -\- H D follows from (i) 
and the fact that by Lem. 13 the requirement of line 20 cannot be, for the first time, fullfilled strictly 
after round £ -\- H -\- D. From Lem. 13, it also follows that if i? = R', then the condition in line 15 
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would return true already in round £ — 1, thus locking would occur already in round £ — 1. Since p did 
not lock in round £ — 1, (in) must hold. Finally, from (i), (hi), and Lem. 13, it follows that every other 
process in R also has InStableRoot([^ — D — 1,£ — D]) = true in round £. Moreover, due to (iii), 
InStableRoot([£ — 1 — D — 1, £ — 1 — D]) = FALSE in round £ — 1, which causes all the processes in R (as 
well as those in 7T \ i?) to set lockRound to 0. Since InStableRoot([f' — D — !,£' — D]) cannot become 
true for any ^ f at a process q € n\R, as Cq|r = 0 for any r G / by Corollary 1, (iv) also holds. □ 

The following Lem. 16 asserts that if a process decides, then it has successfully imposed its proposal 
value on all other processes. 

Lemma 16 (Agreement). Suppose that process p decides in line 21 in round r and that no other 
process has executed line 21 before r. Then, for all q, it holds that = Xp. 

Proof. Using items (i) and (iv) in Lem. 15, we can conclude that p was in the vertex-stable root component 
of rounds £ = lockRoundp to £ + H and that all processes in it member set R have locked in round £. 
Therefore, in the interval [£,£ + H], £ is the maximal value of lockRound. More specifically, all processes 
q in R have lockRoundq = £, whereas all processes s in n\R have lockRoundg < £ during these rounds 
by Lem. 15.(iv). Let m € R have the largest proposal value = Xmax among all processes in R. 
Since m is in R, there is a causal chain of length at most H from m to any q € U. Note carefully that 
guaranteeing this property requires item (ii) of Def. 12, as the first decision (in round r) need not occur 
in the eventually guaranteed 2D -|- 2H -|- 2-VSRC but already in some earlier “spurious” VSRC. 

Since no process executed line 21 before round r, no process will send decide messages in \£, £ + H]. 
Thus, all processes continue to execute the update rule of line 14, which implies that Xmax will propagate 
along the aforementioned causal path to q. □ 

Theorem 5 (Consensus under VSRC (211 -|- 2H -1-2)). Let rsr be the beginning of the stability win¬ 
dow guaranteed by the message adversary VSRClflD -|- 2H 2) given in Def. 12. Then, Alg. 2 in con¬ 
junction with Alg. 1 solves consensus by the end of round rsr + 2,D -\- 2H -\- 1. 

Proof. Validity holds by Lem. 14. Considering Lem. 16, we immediately get agreement: Since the first 
process p that decides must do so via line 21, there are no other proposal values left in the system. 

Observe that, so far, we have not used the liveness part of Def. 12. In fact, Alg. 2 is always safe in 
the sense that agreement and validity are not violated, even if there is no vertex-stable root component. 

We now show the termination property. By Corollary 2, we know that every process inp G R evaluates 
the predicate InStableRoot([r 5 T 5 'Cst + 1]) = true in round £ = rsr + D-\-l, thus locking in that round. 
Furthermore, Def. 12 and Corollary 2 imply that at the latest in round d = £ -\- D -\- H every process 
p G R will evaluate the condition of line 20 to true and thus decide using line 21. Thus, every such 
process p will send out a message m = (decide, Xp). By Def. 10 and Def. 12, we know that every q G U 
will receive a decide message at the latest in round d-\- H = £ -\- D -\- 2H = rsr + 2,D -\- 2H -\- 1 and 
decide by the end of this round. □ 

6 Impossibilities and Lower Bounds for fc-Set Agreement 

In this section, we will turn our attention from consensus to general k-set agreement and prove related 
impossibility results and lower bounds. We will accomplish this by showing that certain “natural” message 
adversaries do not allow to solve fc-set agreement. For example, as excessive partitioning of the system 
into more than k root components makes k-set agreement trivially impossible, one natural assumption 
is to restrict the maximum number of root components per round in our system to k. 

Def. 15 below defines the generic message adversary ySRC{k,d), which allows at most k VSRCs per 
round and guarantees a common window of vertex stability of duration at least d. Note that it implicitly 
involves both the dynamic causal diameter D and the dynamic network causal diameter H ^ D according 
to Def. 9 and Def. 10 (that have be enforced by the message adversary). 

Definition 15 (Message adversary VSRC(fc, d)). The message adversary VSRC{k,d) is the set of 
all sequences of communication graphs (Q^)r>o, where 

(i) for every round r, contains at most k root components. 
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(a) all vertex-stable root components occurring in any {G^)r>o are D-bounded, 

(Hi) for each (G^)r>o, there exists some rsT > 0 and an interval of rounds J = [rsT,rsT + d— 1] where 
1 ^ ^ fc H-network-bounded vertex-stable root components R(,... ,Rj exist simultaneously. 

Like for Def. 12, item (ii) has only been added for the sake of the fc-set agreement algorithm (Alg. 4); 
the impossibility results and lower bounds also hold when (ii) is dropped or replaced by something 
that does not affect item (iii). Observe that VSRC(l,d) is the same as VSRC(d) except that item (ii) 
requires all VSRCs to be H-bounded instead of iJ-network-bounded. Note also that the message adversary 
VSRC(fc, 1) guarantees at most k VSRCs in every , r > 0. 

We will now prove that it is impossible to solve fc-set agreement for 1 ^ fc < n — 1 under the message 
adversary VSRC(fc, min{n — k, H} — 1), even under the slightly weaker version of this message adversary 
stated in Theorem 7 below. We will use the generic impossibility theorem provided in [7, Thm. 1] for 
this purpose. In a nutshell, the latter exploits the fact that fc-set agreement is impossible if k sufficiently 
disconnected components may occur and consensus cannot be solved in some component. 

We hrst introduce the required definitions: Two executions of an algorithm a, (3 are indistinguishable 
(until decision) for a set of processes V, denoted a ~ /3, if for any p G 27 it holds that p executes the 
same state transitions in a and in /3 (until it decides). Now consider a model of a distributed system 
M = (27) that consists of the set of processes II and a restricted model M' = (27) that is computationally 
compatible to M (i.e., an algorithm designed for a process in M can be executed on a process in M') 
and consists of the set of processes V C II. Let A be an algorithm that works in system A4 = (II), 
where A4a denotes the set of runs of algorithm Aon and let 27 C 72 be a nonempty set of processes. 

Given any restricted system M' = (27), the restricted algorithm Ajp for system M' is constructed by 
dropping all messages sent to processes outside 27 in the message sending function of A. We also need 
the following similarity relation between runs in computationally compatible systems (cf. [7, Definition 
3]): Let R and TV be sets of runs, and 27 be a non-empty set of processes. We say that runs R' are 
compatible with runs R for processes in 27, denoted by R' =4v 27., if Va & R' 3j5 & R\ a ^ (3. 

Theorem 6 (7-Set Agreement Impossibility [7, Thm. 1]). Let M = (27) be a system model and 
consider the runs A4 a that are generated by some fixed algorithm A in M, where every process starts 
with a distinct input value. Fix some nonempty and pairwise disjoint sets of processes T>i,... ,Vk-i, and 
a set of distinct decision values {fi,..., Vk-i}. Moreover, let 27 = 27j and 27 = 27 \ 27. Consider 

the following two properties: 

(dec-27) For every set T>i, value Vi was proposed by some p G 27, and there is some q €Vi that decides 

Vi^ _ _ 

(dec-27) If pj G 27 then pj receives no messages from any process in 27 until every process in 27 has 
decided. 

Let R(^j C M.A and R^-j, pj ^ Ad a be the sets of runs of A where (dec-T>) respectively both, (dec-T>) 
and (dec-V), hold.^^ Suppose that the following conditions are satisfied: 

(A) R^^j is nonempty. 

(B) 77 77^25ypj. 

In addition, consider a restricted model M' = (27) such that the following properties hold: 

(C) There is no algorithm that solves consensus in M'. 

(D) M'^_^^Ma. 

Then, A does not solve k-set agreement in M. 

The proof of Theorem 7 below utilizes Theorem 6 in conjunction with the impossibility of consensus 
under VSRC(27 — 1) established in Theorem 4. 

Theorem 7 (Impossibility of fc-set agreement under VSRC(fc,min{n — 7,27} — 1)). There is no 

algorithm that solves k-set agreement with n > 7-1-1 processes under the message adversary VSRC{k, min{n — 7, 27} — 1) 

stated in Def. 15, for any 1 ^ 7 < n — 1, even if there are 7 — 1 root components Ri,... ,Rk-i that 

are vertex-stable all the time, i.e., in [l,oo] (and only root component R^ is vertex-stable for at most 

min{n — 7, 27} — 1 rounds). 

Note that R(p-^ is by definition compatible with the runs of the restricted algorithm Ap. 
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Proof. Suppose that there is a fc-set algorithm A that works correctly under the assumptions of our theo¬ 
rem. For k = 1, Theorem 7 is implied by Theorem 4, since VSRC(1, H — 1) is the same as VSRC(i7 — 1) 
if item (ii) is dropped in both definitions. 

To prove the theorem for k > 1, we will show that the conditions of the generic Theorem 6 are satisfied, 
thereby providing a contradiction to the assumption that A exists. Let Vi = {pi} for 0 < i ^ /c — 1 and 
let V = Vi. Consequently, V = {pk,Pk+ii ■ ■ ■ 1^1 ^ 

(A) The set of runs of A where no process in V receives any message from V before it dedices is 

nonempty: We choose the communication graph in every round to be such that V has no incoming links 
from V until every process in V has decided. Since any such sequence of communication graphs satisfies 
the assumptions of our theorem, ^ 0 . 

(B) The set of runs of A where both (i) some process in every Di decides Vi and (ii) no process 

in V receives any message from V before it decides satisfies =4^ Tip : Let PL be the set of runs 
where processes pi have unique input values Xi = i, 0 < i < k, the communication graph in every round 
is such that pi,... ,Pk-i are isolated, and pk^ ■. ■ ,Pn are weakly connected (with a single root) until 
every process has decided. By the assumptions of our theorem, PL is non-empty. Since (i) the processes 
in V never receive a message from a process in V in both Pi-p'^ and PL, and (ii) the initial values of the 
processes in V are not restricted in PL in any way, it is easy to find, for any run p S TPpp a run p' G PL 

such that p p'. Because obviously PL C Pip py we have established TPp^ =4^ '^(t> v)- 

(C) Consensus is impossible in PA' = (77): Let V be the partition containing the A:**' root component Rk-, 
which is perpetually changing in every round, except for some interval of rounds 1 = [rsT) tst + 7 — 1], 
where L = min{n — k,H} — 1, for some fixed rsT- During this interval, let the topology of V be such 
that there exists some p G Rk and some q G V with cd'’®^(p, q) = L + 1. Since |77| = n — k + 1, such a 
topology (e.g. a chain with head p and tail q) can be created by the message adversary VSRC(iL — 1) 
underlying Theorem 4 exists. Hence, consensus is impossible in V. 

(D) Af (4 _ PA A- Fix any run p' G PA'_^_ and consider a run p G PAa, where every process in V has 

the same sequence of state transitions in p as in p'. Such a run p exists, since the processes in V can be 
disconnected from V in every round in A4^, so p ~ □ 

Since Theorem 7 tells us that no fc-set agreement algorithm (for 1 ^ fc < n — 1) can terminate with 
insufficient concurrent stability of the at most k root components in the system, it is tempting to assume 
that fc-set agreement becomes solvable if a round exists after which all communication graphs remain 
the same. However, we will prove in Theorem 8 below that this is not the case for any 1 < fc ^ n — 1. 
We will again use the generic Theorem 6 , this time in conjunction with the variant of the well-known 
impossibility of consensus with lossy links [50,52] provided in Lem. 17, to prove that ensuring at most k 
different decision values is impossible here, as too many decision values may originate from the unstable 
period. 

Lemma 17. Let PA' = {p,q) he a two-processor subsystem of our system PA = (II). If the sequence of 
communication graphs Q'', r > 0, of PA are restricted by the existence of a round r' > 0 such that (i) for 
r < r', {p ^ q) G Q'' and/or {q ^ p) G Q"", and no other edges incident with p or q are in S'", and (ii) 
for r ^ r', there are no edges incident with p and q at all in t/'’, then consensus is impossible in PA'. 

Proof. Up to r', this is ensured by the impossibility of 2-processor consensus with a lossy but at least 
unidirectional link established in [52, Lemma 3]. After r', this result continues to hold (and is even 
ensured by the classic lossy link impossibility [50]). Hence, consensus is indeed impossible in PA'. □ 

Theorem 8 . There is no algorithm that solves k-set agreement for n k+1 processes under the message 
adversary VSRC{k,oo), for every 1 < k < n. 

Proof. Suppose again that there is a k-set algorithm A that works correctly under the assumptions of 
our theorem. We restrict our attention to runs of PAa where, until rsT, (i) the same set of fc — 1 root 
components {Vi,... ,Vk-i\ with V = Vi exists in every round, and (ii) two remaining processes 
V = n\V = {pi,P 2 } exist, which are (possibly only uni-directionally, i.e., via a lossy link) connected in 
every round, without additional edges to or from V. After rsT, the communication graph remains the 
same, except that the processes in V are disconnected from each other and there is an edge from, say. 
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Pi to some process in 2? in every round. Note that these runs satisfy Def. 15 for d = oo, as the number 
of root components never exceeds k. 

Moreover, we let the adversary choose rsr sufficiently large such that the processes in V have decided. 
Since the processes in 'Di {i < 0 < k) never receive a message from the remaining system before rsT, in 
which case they must eventually unilaterally decide, we can safely assume this. 

We can now again employ the generic impossibility Theorem 6 in this modihed setting. The proofs 
of properties (A), (B) and (D) remain essentially the same as in Theorem 7. It hence only remains to 
prove: 

(C) Consensus is impossible in AI' = (T*): This follows immediately from Lem. 17 with r' = rsr- □ 

The following Theorem 9 reveals that even (considerably) less than k root components per round 
before stabilization and a single perpetually stable root component after stabilization are not sufficient 
for solving fc-set agreement. 

Theorem 9. There is no algorithm that solves k-set agreement for n ^ fc+1 processes under the message 
adversary VSRC{\k/2] + l,oo), for every 1 < k < n, even if G'' =G, r ^ rsr, where G contains only a 
single root component. 

Proof. We show that, under the assumption that A exists, there is a sequence of communication graphs 
that is feasible for our message adversary that leads to a contradiction. We choose Xi = i for all Pi G 11 
and let = {pi+2i,P2+2i} for 0 < t < \k/2'\ - 1. If A: is even, let Vk/2-i = {Pk-i,Pk}', if k is odd, let 
'^\k/2-i-] = {Pk}- In any case, let T>ik/2] = {Pk+i}- Finally, let V = {pk+2, ■ • ■ ,Pn}- Note that V may 
be empty, while all Vi are guaranteed to contain at least one process since n > k. For all rounds, the 
processes in V have an incoming edge from a process in one of the Vi. 

We split the description of the adversarial strategy into [fc/2] + 1 phases in each of which we will 
force some Vi to take \Vi\ decisions. To keep processes p,q G Vi with \Vi\ = 2 from deciding on the 
same value before their respective phase i, the adversary restricts G^ such that (i) there are no links to 
Vi from any other Vj and (ii) either the edge {p -G q) or {p G- q) or both are in G^, in a way that causes 
Lem. 17 to apply. Note carefully that any such G'' indeed has no more than [fc/2] + 1 root components. 

In the initial phase, V^k/2] is forced to decide: Since Pk+i has no incoming edges from another node 
in U’’, this situation is indistinguishable from a run where Pk+i became the single root after rsT- Thus, 
by the correctness of A, Pk+i must eventually decide on Xk+i = fc + 1. At this point, the initial phase 
ends, and we can safely allow the adversary to modify C/'’ in such a way that Pk+i has an incoming edge 
from some other process. 

We now proceed with \k/2\ — 1 phases: In the phase, 0 < i < \k/2\ —1, the adversary drops 
any link between the processes p,q G Vi (and does not provide an incoming link from any other process, 
as before) in any C/’’. Since, for both p and q, this is again indistinguishable from the situation where 
they become the single root after rsT, both will eventually decide in some future round (if they have 
not already decided). Since the adversary may have chosen a link failure pattern in earlier phases that 
causes the impossibility (= forever bivalent run) of Lem. 17 to apply, as =4T>i Al^, it follows that 

A and hence A|i). cannot have solved consensus in Vi. Since A solves fc-set agreement, p and q must 
hence decide on two different values. Moreover, since neither p nor q ever received a message from a 
process not in Vi, their decision values must be different from the ones in all former phases. 

Finally, after p and q have made their decisions, the adversary may again modify G'^ such that they 
have an incoming edge from some other process, thereby reducing the number of root components by 
two and preserving the maximum number [fc/2] + 1 of root components, and continue with the next 
phase. 

If k is even, then the final phase [A:/2] — 1 forces two more decisions just as described above; otherwise, 
Pk provides one additional decision value (which happens concurrently with the initial phase here). In 
either case, we have shown that all pi with 1 ^ z ^ A: + 1 have decided on different values, which 
contradicts the assumption that a correct algorithm A exists. □ 

Note that Theorem 9 reveals an interesting gap between 2-set agreement and 1-set agreement, i.e., 
consensus: It shows that 2-set agreement is impossible with [A:/2]+l = 2 root components per round 
before and a single fixed root component after stabilization. By contrast, if we reduce the number of 
root components per round to a single one before stabilization (and still consider a single fixed root 
thereafter), even 1-set agreement becomes solvable [9]. 
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7 Algorithms for fc-Set Agreement 


In this section, we will provide a message adversary MAJINF(fc) (Del. 21) that is sufficiently weak for 
solving fc-set agreement if combined with VSRC(n, 31? + iJ) (Def. 15). Although we can of course not 
claim that it is a strongest one in terms of problem solvability (we did not even define what this means), 
we have some indications that it is close to the solvability/impossibility border. 


7.1 Set agreement 

To illustrate some of the ideas that will be used in our message adversary for general k-set agreement, we 
start with the simple case of n — 1-set agreement (also called set agreement) first. Note that Theorem 7 
does not apply here. To circumvent the impossibility result of Theorem 9, it suffices to strengthen the 
assumption of at most n — 1 root components in every round such that the generation of too many 
decision values during the unstable period is ruled out. A straightforward way to achieve this is to just 
forbid n different decisions obtained in root components consisting of a single process. Achieving this is 
easy under the An-i-influence message adversary given in Def. 16, the name of which has been inspired 
by the Sn-i failure detector [12]. 

Definition 16 (An-i-infiuence message adversary). The message adversary En-i-MAJ is the set 
of all sequences of communication graphs (^’')j.> 0 ; where in any set of n root components 

consisting of single processes Ri = {pi}, 1 ^ i ^ n, occuring in any run the following holds: There are 
two indices i, j ^ i such that Rj' influences denoted Rj'^Rj^, in the sense that there exists a 
causal chain starting after R that ends before or at the beginning of Ij. 

It is easy to devise a set agreement algorithm that works correctly in a dynamic network under 
Def. 16, provided (a bound on) n is known: In Alg. 3, process Pi maintains a proposal value Vi, initially 
Xi, and a decision value t/j, initially T, which are broadcast in every round. If pi receives no message 
from any other process in a round, it decides by setting yi = Vi. If pi receives a message from some pj 
that has already decided {yj T), it sets yi = yj. Otherwise, it updates Vi to the maximum of Vi and 
all received values Vj. At the end of round n, a process that has not yet decided sets yi := Vi, and all 
processes terminate. 


Algorithm 3 Set agreement algorithm for message adversary An-i-MAJ. 

Set agreement algorithm, code for process pi: 

1: Vi Xi G V jj initial value 

2 : Vi ■.= ± 

Emit round r messages: 

3: send {vi,yi) to all 

Receive round r messages: 

4: receive {vj,yj) from all current neighbors 
Round r: computation: 

5: Vi max{ui, Vj : j G } 

6: if aj : (yj ^ ±) A. (vi = J-) then 

7: Vi Vj 

8: if {Mp^ = 0) A {vi = -L) then 

9 : yi '= Vi 

10: if (r = n) A {yi — _L) then 

11: yi ;= Vi; terminate 


Theorem 10 (Correctness Alg. 3). Alg. 3 solves n — 1-set agreement in a dynamic network under 
message adversary Sn-i-MAJ given in Def. 16. 

Proof. Termination (after n rounds) and also validity are obvious, so it only remains to show n — 1- 
agreement. Assume, w.l.o.g., that the processes Pi,P 2 , ■ ■ • are ordered according to their initial values 
a:i ^ a ;2 ^ ..., and let be the set of different values (in yi or, if still yi = T, in Vi) present in the system 
at the beginning of round k^ 1] = {xi ,..., x„} is the set of initial values. Obviously, A 5”^ A ..., 

and since n — 1-agreement is fulfilled if < n, we only need to consider the case where all Xi are 

different. 
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Consider process pi: If pi gets a message from some other process pj in round 1, a;i ^ as (i) pi 
does not decide on its own value and sets vi ^ vj ^ Xj > xi and (ii) no process that receives a message 
containing xi from pi takes on this value. Hence, n — 1-set agreement will be achieved in this case. 
Otherwise, pi does not get any message in round 1 and hence decides on xi. 

Proceeding inductively, assume that pi € = {pi ,... ,pi_i} has decided on Xi by round k ^ 

and received only messages from processes with smaller index in rounds 1,... ,k — 1 and no message in 
round k. Now consider process pp. If pi gets a message from some process pj with j > i in some round 
k ^ i, with minimal k, before it decides, then Xi ^ 5'*+^ as (i) pi does not decide on its own value 
and sets Vi ^ Vj ^ xj > Xi, (ii) pi did not send its value to any process in before their decisions, 
and (iii) no process with index larger than i that receives a message containing Xi from pi takes on this 
value. Hence, n — 1-set agreement will be achieved in this case. Otherwise, if pi gets a message from some 
process pi € p*-i in round i, it will decide on pis decision value xe and hence also cause Xi ^ 5'*+^. In 
the only remaining case, pi does not get any message in round i and hence decides on Xi, which completes 
the inductive construction of P* = {pi,... ,pi} for i < n. 

Now consider pn in round n in the above construction of P": Def. 16 prohibits the only case where 
n — 1-agreement could possibly be violated, namely, when also decides on a;„: During the first n 
rounds, we would have obtained n single-node root components no two of which influence each other in 
this case. Thus, we cannot extend the inductive construction of P* to i = n, as the resulting execution 
would be infeasible. □ 

7.2 A message adversary for general fc-set agreement 

Whereas the set agreement solution introduced in the previous subsection is simple, it is apparent that 
Def. 16 is quite demanding. In particular, it requires explicit knowledge of (a bound on) n. We will now 
provide a message adversary MAJINF(fc) (Def. 21), which is sufficient for general fc-set agreement if 
combined with VSRC(n, 3P -I- P) (Def. 15). We obtained this combination by adding some additional 
properties to the necessary network conditions implied by our impossibility Theorems 7 and 9.^"^ 

To avoid non-terminating (i.e., forever undecided) executions as predicted by Theorem 7, we require 
the stable interval constraint guaranteed by the message adversary VSRC(n, 3P -I-P) to hold. The 
parameter D, which can always be safely set to P = n — 1 according to Lem. 3, allows to adapt the 
message adversary to the actual dynamic causal diameter guaranteed in the VSRCs of a given dynamic 
network. Note that, since D > 0, rounds where no message is received are not forbidden here (in contrast 
to Def. 16). 

In order to also circumvent executions violating the fc-agreement property established by Theorem 9, 
we introduce the majority influence constraint guaranteed by the message adversary MAJINF(fc) given 
in Def. 21 below. Like Def. 16 for set agreement, it guarantees some (minimal) information flow between 
sufficiently long-lasting vertex-stable root components that exist at different times. As visualized in 
Fig. 2, it implies that the information available in any such VSRC originates in at most fc “initial” 
VSRCs. Thereby, it enhances the very limited information propagation that could occur in our model 
solely under VSRC(fc,3P -I- P), which is too strong for solving fc-agreement. 

Formally, given some run p, we denote by Yd the set of all root components that are vertex-stable for 
at least d consecutive rounds in p. Let Rcur G Vi be vertex-stable in I cur = [fcur, Scur] and Rsuc G Vi 
be vertex-stable in Rue = [rsuc, Ssuc] with Vguc > Scur] note that Vd C Vi for every d ^ 1. 

Definition 17 ((Weak) Influence). Given any two Rcur,Rs^c G rue say that some process p € 
R^^r influences some process q € Ri‘Yc rind write p^q with ^ C P^ ijf there exists a causal chain from 
p to q starting after Rur that ends before or at the beginning of I sue, i-e-, cd'*‘=“’'+^(p, g) ^ Vsuc — Sc«r- 

An alternative way to derive sufficient network assumptions for, e.g., n —2-set agreement could be to generalize 
Def. 16: One could e.g. assume that at least two out of every set of n — 1 different root components consisting 
of 1 or 2 processes are influenced by a common predecessor root component. Whereas this assumption does not 
require vertex stability of root components, it effectively ensures that information propagates not slower as in 
VSRCs. Owing to this fact, it also prohibits the existence of the node q in Def. 14 with causal distance D from 
p in the root component, thereby causing the proof of Theorem 7 to fail. Working out the details may turn out 
difficult, though: After all, unlike single-process roots, larger root components suffer from the problem that its 
members cannot always determine whether the root was a VSRC or not. Influence must hence be conservative, 
in the sense that it involves even potential 2-process roots. 
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Fig. 2: VSRCs influencing each other in a 
t run, for k — 2. Time progresses from left to 

right; all shaded nodes are stable for more 
than 2D rounds, white nodes are stable be¬ 
tween D + 1 and 2D rounds. Thick arrows 
represent majority influence, thin arrows rep¬ 
resent (weak) influence. At most two shaded 
nodes, depicted darkly shaded, may exist 
that are not majority-influenced by another 
shaded node. 


In this case, we also say that (weakly) influences Rlutil write , using the relation 

^ C Vi here. 

We will also need stronger notions of influence, which are based on the following Def. 18: 

Definition 18 (Influence Sets). Given any two Rcur, Rsuc G Vi, their influence set is IS{Rcur, Rsuc) '■= 
{q € R 

sue \3p € R 

cur : p^q}. 

The majority influence between the nodes in Rcur and Rsuc guarantees that Rcur influences a set of 
nodes in Rsuc, which is greater than any set influenced by VSRCs not already known by the processes 
in Rcur (and greater than or equal to any set influenced by VSRCs already known by the processes in 
Rcur). Majority influence is hence a very natural way to discriminate between strong and weak influence 
between VSRCs, see Def. 20 below. 

Definition 19 (Majority influence). We say that a VSRC Rcur G V 2 D- 1-1 exercises a majority in¬ 
fluence on a VSRC Rsuc G V 2 D+ 1 , denoted Rcur^mRsuc with C iffVR € Vn+i with 

IS{R, Rcur) = % it holds that \IS{Rcur, Rsuc)\ > \IS{R, Rsuc)\ andVR € Vd-i-i with IS{R,Rcur) ^ % it 
holds that \IS{Rcur, Rsuc)\ > \IS{R, Rsuc)\- 

The relation has the following properties: 

Lemma 18 (Properties ^m)- The majority influence relation is antisymmetric, acyclic and intransi¬ 
tive. 

Proof. Let R, R, and R be three different VSRCs stable in the intervals I, I, and /, resp. Since the 
VSRCs R and R ^ R are ordered in time according to their round intervals I and I, which must be 
disjoint, no process in R can be influenced by any process in R if Hence, R^mR cannot hold, 

which implies both antisymmetry and, by a transitive application of this argument, acyclicity. To prove 
intransitivity, observe that and R^,^R would imply IS(i?, K) > IS(i?, R) if also held, since 

no process in R can be influenced by any process in R. This contradicts IS(i?, R) ^ IS(i?, R) required by 
R^^R, however. 

Definition 20 (Strong Influence). We say that Rcur G V 2 D +1 strongly influences Rsuc G V 2 D- 1-1 and 
write Rcur^m * Rsuc, where * G V 2 £)_|_i is the transitive closure o/^m- 

Note carefully that * is antisymmetric by Lem. 18. 

With these preparations, we are now ready to specify a message adversary MAJINF(fc) given in 
Def. 21. 

Definition 21 (fc-majority influence message adversary). The message adversary MAJINF{k) is 
the set of all sequences of communication graphs {G^)r>o, where in every run 3K C V 2 D +1 with \K\ ^ k 
s.t. Vi? € V 2 D- 1-1 \ K 3R G V 2 D +1 with R^^R. 

Informally speaking, Def. 21 ensures that all but at most k “initial” VSRCs in V 2 D- 1-1 are majority- 
influenced by some earlier VSRC in V2_d+i (see Fig. 2). Note carefully, though, that Def. 21 neither 
prohibits partitioning of the system in more than k simultaneous VSRCs nor directly exhibits a k- 
quorum property, cf. the well-known quorum failure detector Sj- [12] that is known to be necessary (but 
not sufficient!) for solving fc-set agreement: After all, one could e.g. choose fc -I- 1 = 3 VSRC’s R(fl, R(f‘ 
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and i?y’’ in Fig. 2 without finding any pair among those which are majority-infiuenced by a common 
predecessor VSRC. Therefore, MAJINF(fc) alone is too strong for solving k-set agreement. The same is 
true for an alternative to Def. 21 that just ensures a /c-quorum (unless acyclicity could be guaranteed as 
well). 

Conversely, if majority influence was replaced by strong influence according to Def. 20, a quorum 
property could be easily established: Starting out from an arbitrary set of fc + 1 2D + 1-VSRCs, we 
could go back along the (acyclic) majority influence relation until we end up in the set K guaranteed by 
Def. 21. If a fc-set agreement algorithm relied on 2D + 1-VSRCs for decisions, this would guarantee that 
no more than k decision values (possibly fabricated in the “initial” 2D -|- 1-VSRCs) can be produced. A 
message adversary equivalent to Def. 21 with strong majority would be fairly weak, however. 

These observations indicate that VSRC(n, 3D + H) + MAJINF(fc) is indeed reasonably close to the 
fc-set agreement solvability border. 

We conclude this section with some straightforward stronger assumptions, which also imply Def. 21 
and can hence be handled by the algorithm introduced in Section 7.3: 

(i) Replacing majority influence in Def. 19 by majority intersection \Rsuc Cl i?| < |i?stic C Rcur\, which is 
obviously the strongest form of influence. 

(ii) Requiring \Rsuc C Rcur\ > |Rsuc|/2, i.e., a majority intersection with respect to the number of 
processes in Rsuc- This could be interpreted as a changing VSRC, in the sense of “i?sMc is the result 
of changing a minority of processes in Rcur" ■ Although this restricts the rate of growth of VSRCs 
in a run, it would apply, for example, in case of random graphs where the giant component has 
formed [21,33]. 


7.3 Gracefully degrading consensus/fc-set agreement 

In this section, we provide a fc-set agreement algorithm and prove that it works correctly under the mes¬ 
sage adversary VSRC(n, 3D -|- H) + MAJINF(fc), i.e., the conjunction of Defs. 15 and 21. Note that the 
algorithm needs to know D, but neither n nor H. It consists of a “generic” /c-set agreement algorithm, 
which relies on the network approximation algorithm of Section 5.1 for locally detecting vertex-stable 
root components and a function GetLock that extracts candidate decision values from history infor¬ 
mation. Our implementation of GetLock uses a vector-clock-like mechanism for maintaining “causally 
consistent” history information, which can be guaranteed to lead to proper candidate values thanks to 
VSRC(n, 3D+ H)+ MAJINF(A:). 

In sharp contrast to classic fc-set agreement algorithms, the algorithm is k-uniform, i.e., the parameter 
k does not appear in its code. Rather, the number of system-wide decision values is determined by the 
number of (certain) 2D + I-VSRCs occurring in the particular run. As a consequence, if the network 
partitions into k weakly connected components, for example,^® all processes in a component obtain the 
same decision value. On the other hand, if the network remains well-connected, the algorithm guarantees 
a unique decision value system-wide. 

Our algorithm is in fact not only fc-uniform but even worst-case /c-optimal, in the sense that (i) it pro¬ 
vides at most k decisions system-wide in all runs that are feasible for VSRC(n, 3D + H) + MAJINF(fc), 
and (ii) that there is at least one feasible run under VSRC(n, 3D-|-i7) -|-MAJINF(fc) where no cor¬ 
rect fc-set agreement can guarantee less than k decisions, (i) will be proved in Section 7.4, and (ii) 
follows immediately from the fact that a run consisting of k isolated partitions is also feasible for 
VSRC(n,3D -I- H) + MAJINF(fc). Our algorithm can hence indeed be viewed as a consensus algorithm 
that degrades gracefully to fc-set agreement, for some k determined by the actual network properties. 

Like the consensus algorithm in Section 5, our fc-set agreement algorithm consists of two reasonably 
independent parts, the network approximation algorithm Alg. 1 and the fc-set agreement core algorithm 
given in Alg. 4. As in Section 5.2, we assume that the complete round r computing step of the network 
approximation algorithm is executed just before the round r computing step of the fc-set algorithm, and 
that the round r message of the former is piggybacked on the round r message of the latter. Recall that 
this implies that the round r computing step of the k-set core algorithm, which terminates round r, can 

It is important to note that the network properties required by our algorithm to reach k decision values need 
not involve k isolated partitions: Obviously, k isolated partitions in the communication graph also imply k root 
components, but k root components do not imply a partitioning of the communication graph into k weakly 
connected components — one process may still be connected to several components. 
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already access the result of the round r computation of the network approximation algorithm, i.e., its 
state at the end of round r. 


Algorithm 4 /c-uniform fc-set agreement algorithm, code for process pi 

Variables and Initialization: 

1 : histi[*][*] := 0 /* histi[j][r] holds pi's estimate of the locks learned by pj in round r */ 

2 : histi [i] [ 0 ] {({pi } , , 0 )} /* virtual first lock (V(i?) {pi } , n Xi, Tcreate := 0 ) at */ 

3: t S- j j most recent lock round, _L if none 
4: decision^ := A. j j p^’s decision, _L if undecided 

Emit round r messages: 

5: send (hist^, decisioni) to all neighbors 
Receive round r messages: 

6 : for all pj in pi’s neighborhood A/*p., receive (histj, decision^) 

Round r computation: 

7: if decisioiii = i. then 

8 : if received any message m containing m.decision 7 ^ _L then 

9: decide m.decision and set decisionj m.decision 

10 : else 

// update histj with histj received from neighbors 
11 : for Pj G , where pj sent histj do 

12 : hist^ := histi // remember current history 

13: for all non-empty entries histj [ai] [r^] of histj, x ^ i do 

14: histifailfr'] hist^ [x] [r'] U histj [x] [r'] 

// locally add all newly learned locks: 

15: histj[z] hist^ \ hist^ 

// perform state transitions (undecided, locked, decided): 

16: myRoot := InStableRoot(r — 2Z), r — D) 

17: if ^ = _L and myRoot 7 ^ 0 then 

18: i:=r-2D 

19: lock GetLock(myRoot, 

20: histj[z][r] histj[ 2 ][r] U lock // create new lock 

21: else if ^ ^ J_ and myRoot = 0 then 

22 : i A- j j release unsuccessful lock 

23: else if ^ 7 ^ _L and InStableRoot[£, ^ -1- 2D] ^ 0 then 

24: decide lock.u and set decisioni := lock.u 

25: function GetLock(K, r^) 

26: Let S be the multiset Up . histj [j] [r"] 

Let mfrq(S) be the set of the most frequent elements in S 
27: Let mfrqi^tgst(S) := {x € mfrq(S) | Vp ^ a: € mfrq(S): a:.Tcreate > P-Tcreate} 

28: if |mfrqi„„„(S)| = 1 then 

29: Let v be s.v of the single element s G mfrqjg^gg^(S) 

30: newLock (i?, 17, r) 

31: else 

32: newLock (i?,maxse 5 >‘^) // deterministic choice 

33: return newLock 


The general idea of our core fc-set agreement algorithm in Alg. 4 is to generate new decision values 
only at members of 2D + 1-VSRCs, and to disseminate those values throughout the remaining network. 
Using the network approximation Ap^, our algorithm causes process pi to make a transition from the 
initially undecided state to a locked state when it detects some minimal “stability of its surroundings”, 
namely, its membership in some D + 1-VSRC D rounds in the past (line 17). Note that the latency of D 
rounds is inevitable here, since information propagation within a D 1-VSRC may take up to D rounds 
due to H-boundedness, as guaranteed by item (ii) in Def. 15. If process pi, while in the locked state, 
observes some period of stability that is sufficient for locally inferring a consistent view among all VSRC 
members (which occurs when the D + 1-VSRC has actually extended to a 2D + 1-VSRC), pi can safely 
make a transition to the decided state (line 24). The decision value is then broadcast in all subsequent 
rounds, and adopted by any not-yet decided process in the system that receives it later on (line 9). Note 
that VSRC(n, iD -|- H) (Def. 15) guarantees that this will eventually happen. 

Since locking is done optimistically, however, it may also happen that the D-l-1-VSRC does not extend 
to a 2D + 1-VSRC (or, even worse, is not recognized to have done so by some members) later on. In this 
case. Pi makes a transition from the locked state back to the undecided state (line 22). Unfortunately, 
this possibility has severe consequences: Meachanisms are required that, despite possibly inconsistently 
perceived unsuccessful locks, ensure both (a) an identical decision value among all members of a 2D 1- 
VSRC who successfully detect this 2D + 1-VSRC and thus reach the decided state, and (b) no more than 
k different decision values originating from different 2D + 1-VSRCs. 
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Both goals are accomplished by a particular selection of the decision values (using function GetLock), 
which ultimately relies on an intricate utilization the network properties guaranteed by our message 
adversary VSRC(n, 3D + H) + MAJINF(fc)(Defs. 15 and 21): Our algorithm uses a suitable lock history 
data structure for this purpose, which is continuously exchanged and updated among all reachable 
processes. It is used to store sets of locks L = {R, v, Tcreate), which are created by every process that 
enters the locked state: R is the vertex-set of the detected D + 1-VSRC, v is a certain proposal value 
(determined as explained below), and Tcreate is the round when the lock is created. 

In more detail, the lock history at process pi consists of an array histi[i]H holds p^’s (un- 
der)approximation of the locks process pj got to know in round r. It is maintained using the following 
simple update rules: 

(i) Local lock creation: Apart from the single virtual lock {{pi} ,Xi,0) created initially by pi in line 2 
(which guarantees a non-empty lock history right from the beginning), all regular locks created upon 
Pi’s transition from the undecided to the locked state are computed by the function GetLock in 
line 19. Any lock locally created at pi in round r (that is, in the round r computing step of the core 
fc-set agreement algorithm that terminates round r) is of course put into histi[z][r]. 

(ii) Remote lock learning: Since all processes exchange their lock histories, pi may learn about some lock 
L created by process Px in round r' from the lock history histj[a;][r'] received from some pj later 
on. In this case, L is just added to histi[a;][r'] (line 14). 

(iii) Local lock learning: In order to ensure that the lock histories of all members of a 2D 4- I-VSRC are 
eventually consistent, which will finally ensure identical decision values, every newly learned remote 
lock L G histi[a:][r'] obtained in (ii) is also added to histi[t] [r]. 

Note that the update rules (i)-l-(ii) resemble the ones of vector clocks [44]. 

Clearly, histi[z][r'] will always be accurate for current and past rounds r' ^ r, while histi[j][r'] may 
not always be up-to date, i.e., may lack some locks that are present in histj[j][r']. Nevertheless, if pi 
and Pj are members of the same 2D + 1-VSRC R^ with I = [r — 2D,r], Def. 9 ensures that pi and 
Pj have consistent histories histi[j][r'] and histj[z][r'] at latest by (the end of) round r' + D, for any 
r' G [r — 2D,r — D], Hence, if pi creates a new lock L when it detects, in its round r computing step, 
that it was part of a -I- 1-VSRC that was stable from r — 2D to r — D, it is ascertained that any other 
member pj will have locally learned the same lock L in the same round r, provided that the D + 1-VSRC 
in fact extended to a 2D -\- 1-VSRC. 

The resulting consistency of the histories is finally exploited by the function GetLock(i?, ^), which 
computes (the value of) a new local lock (line 19) created in round r. As its input parameters, it is 
provided with the members R of the detected D + 1-VSRC and its starting round £ = r — 2D. GetLock 
first determines a multiset S, which contains all locks locally known to the members pj G R hy round 
r — 2D (line 26). Note that the multiplicity of some lock L = {R',v,r') in S is just the number of 
members of R who got to know L by round r — 2D, which is just |IS(i?',i?)| according to Def. 18. In 
order to determine a proper value for the new lock to be computed by GetLock, we exploit the fact that 
MAJINF(fc) (given in Def. 21) ensures majority influence according to Def. 19: If the set mfrq;^^tggt(5'), 
containing the most frequent locks in S with the same maximal lock creation round, contains a single lock 
L only, its value L.v is used. Note that the restriction to the maximal lock creation date automatically 
filters unwanted, outdated locks that have merely been disseminated in preceding 2D + 1-VSRCs, see 
(1) below. Otherwise, i.e., if mfrq]^jj^.g 3 t(S') contains multiple candidate locks, a consistent deterministic 
choice, namely, the maximum among all lock values in S, is used (line 32). As a consequence, at most k 
different decision values will be generated system-wide. 

Given the various mechanisms employed in our algorithm and their complex interplay, the question 
about a more light-weight alternative solution that omits some of these mechanisms might arise. We will 
proceed with some informal arguments that support the necessity some of the pillars of our solution, 
namely, (1) the preference of most recently created locks in GetLock, (2) the creation of a new lock at 
every transition to the locked state, and finally (3) the usage of an a priori unbounded data structure 
histi. Although these arguments are also “embedded” in the correctness proof in the following section, 
they do not immediately leap to the eye and are hence provided explicitly here. 

(1) The preference of most recently created lock in GetLock, which is done by selecting the set mfrq^^^^gg.^ (S) 
in line 28, defeats the inevitable “amplification” of the number of processes that got to know some 
“old” lock: All members of a 2D + 1-VSRC have finally learned all “old” locks that were only known 
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to some of its members at the starting round of the VSRC initially. In terms of multiplicity in S, 
this would falsely make any such old lock a preferable alternative to the most recently created lock. 

(2) Instead of creating new locks at every newly detected D +1-VSRC, it might seem sufficient to simply 
update the creation time of an old lock that (dominantly) influences a newly detected VSRC. This 
is not the case, however: Consider a hypothesized algorithm where new locks are only generated if 
no suitable old locks can be found in the current history, and assume a run where two VSRCs with 
vertex sets Ri = {pi,P 2 } and R 3 = {pi,P 2 } that are both stable for + 1 rounds and two root 
components i ?2 = {pijPs} and R 4 = {^ 1 ,^ 3 } that are stable for 2D + 1 rounds are formed. Let 
these VSRCs be such that Ri is formed before Rj ii i < j and let there be no influence among the 
processes of {pi,P2,P3}, apart from their influence on each other when they are members of the same 
VSRC. First, let the processes of i?i lock on some old lock L'. Then, assume that the processes of 
i ?2 lock on some lock^® L L', a, lock not known in i?i. Since R 3 = {pi,P 2 }, if R 3 is sufficiently 
well connected, pi might lock on L' in R 3 , because L' is known to both pi and p2 while L is known 
merely to pi at the start of R 3 . Subsequently, this results in the situation in R 4 where there is neither 
a clear majority {L' and L are known to both members of R 4 ) nor a clear most recently adopted 
lock (for pi, it seems that L' is the most recent lock, while for p 3 , it seems that L is more recent). 
Consequently, in R4, it is not clear whether to lock on L.v or on L'.v. Nevertheless, the processes of 
i ?4 should be able to determine that they must lock on L and not on L', since R2'^mRi holds in our 
example: |IS(i?i, i? 2 )| = 1, |IS(i?i, i? 4 )| = 2 , |IS(i? 2 ,R 4 )| = 2 and |IS(i? 3 , i? 4 )| = I. We can therefore 
conclude that merely adopting old locks is insufficient. 

(3) Since the stabilization round tst, as implied by Def. 15, may be delayed arbitrarily, an unbounded 
number of 2D + 1-VSRCs can occur before tst- Since any of those might produce a critical lock, in 
the sense of exercising a majority influence upon some later 2D + 1-VSRC, no such lock can safely 
be deleted from histi of any pi after bounded time. 


7.4 Correctness Proof 

In this final subsection, we will prove the following Theorem II: 

Theorem 11. Alg. 4 solves k-uniform k-set agreement in a dynamic network under the message adver¬ 
sary VSRC{n,3D H) + MAJINF{k), which is the conjunction of Def. 15 and Def. 21. 

The proof consists of a sequence of technical lemmas, which will finally allow us to establish all the 
properties of k-set agreement given in Section 3. First, validity according to Def. 4 is straightforward to 
see, as only the values of locks are ever considered as decisions (line 24). Values of locks, on the other 
hand, are initialized to the initial value of a process (line 2) and later on always have values of previous 
locks assigned to them (lines 30 and 32). Note that the claimed /c-uniformity is obvious, as the code of 
the algorithm does not involve k. 

To establish termination, we start with some simple properties related to setting locks at all members 
of vertex stable root components. 

Lemma 19. Apart from processes adopting a decision sent by another process, only processes part of a 
vertex stable root with interval length greater than D (resp. 2D) lock (resp. decide). 

Proof. The if-statement in line 17 (resp. line 23) is evaluated to true only if InStableRoot detects a 
stable member set R in some interval I of length D + 1 (resp. of length 2D + 1) or larger, which implies 
by Corollary 1 that R^ is indeed a D -\- 1-VSRC (resp. 2D -\- 1-VSRC). □ 

Lemma 20. All processes part of a vertex stable root with interval length greater than 2D, which 

did not start already before a, lock, i.e. set I := a, in round a -\- 2D. 

Proof. Because is D-bounded by Def. 15, Corollary 2 guarantees that InStableRoot(a, a -I- D) 

returns R from round a -\- 2D (of the /c-set-algorithm) on, and that it cannot have done so already in 
round a -\- 2D — 1. Hence, f = T in round a -\- 2D, the if-statement in line 17 is entered and f := a is set 
in line 19. □ 

This could occur, e.g., because L is known to pa and has a more recent creation time than L' 
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Lemma 21. All processes part of a vertex stable root with interval length greater than 3D, which 

did not start already before a, have decided by round a + 3D. 

Proof. It follows from Lem. 20 that all members of the VSRC set t' := o in round a + 2D. As the 
VSRC remains stable also in rounds a + 2D,... ,a + 3D, line 22 will not be executed in these rounds, 
thus i = a remains unchanged. Consequently, due to Corollary 2, the if-statement in line 23 will evaluate 
to true at the latest in round £ + 3D = a + 3D, causing all the processes to decide via line 24 by round 
a + 3D as asserted. □ 

Lemma 22. The algorithm eventually terminates at all processes. 

Proof. For a contradiction, assume that there is pj € 11 which has not terminated after the stable interval 
guaranteed by Def. 15. This implies that pj is not part of a root component during this stable interval, 
because Lem. 21 ensures termination by rsr + 3D at the latest for the latter. Hence, pj did not get a 
decide message either. From Def. 10, it follows that there exists a causal chain of length at most PI to 
Pj from some member pi of a VSRC after its termination. Therefore, it must receive the decide message 
by rsT + 3D + H at latest. □ 

Although we now know that all members of a VSRC that is vertex stable for at least 3D rounds will 
decide, we did not prove anything about their decision values yet. In the sequel, we will prove that they 
decide on the same value. 

Lemma 23. Given some VSRC with I = [a, b] and b ^ a + D, in all rounds x G [a + D,b] it holds 
that yp„pj G R: hist4j][r'] = hist^ 

Proof. By the D-boundedness of R^, a message from round a has reached every member of R by round 
a + D. Moreover, no message sent by a process not in R during / can reach a member of R during / 
because R^ is a root component. Therefore, since hist^ is sent by each process pi in every round (line 5) 
and Pi adds only newly learned entries to hist^ (lines 15 and 20), all these updates of hist^ during I, 
regarding any round r' ^ a, occur at the latest in round a + D. □ 

Lemma 24. All processes of a VSRCs R^ o/V 2 D +1 with I = [a,b] adopt the same lock (and hence 
decide the same). 

Proof. Such a lock is created hy pi G R in round a + 2D, when it recognizes R^ as having been vertex- 
stable for D -b 1 rounds according to Lem. 20. As the lock (value) is computed based on hist^ present 
in round a + 2D, which is consistent among all VSRC members by Lem. 23, the lemma follows. □ 

Finally, we show that, given that the system satisfies Def. 21, there will be at most k decision values 
in any run of Alg. 4, which proves fc-agreement: Since there are at most k VSRCs of V 2 _d+i that are not 
majority-influenced by other VSRCs, it remains to show that any majority-influenced VSRC decides the 
same as the VSRC it is majority-influenced by. In order to do so, we will first establish a key property 
of our central data structure hist^. 

Lemma 25. Given bcur.scur] ^ \Icur\ > 2.D and any \Isuc\ ^ 1- Let L be a 

lock known to all members of Rcur by Scur, be., for all pi G Rcur it holds that, by the end of round Scur, 
L G histi[f][r']. For any process pj G Rsuc, it holds that if there exists some pi G Rcur, s.t. 

P^^PJ, then L G bistj[j][r']. 

Proof. Assume there exists api G Rcur s.t. Pi^Pj but L ^ bistj[j][r']. The definition oipi^pj 

implies that there exists a causal chain from pi to pj that ends before pj becomes a part of Rsuc- Since 
processes send their own history in every round according to line 5, every message in this causal chain 
consisted of a hist containing L and thus pj put L into its histj[j][r] via line 14 if Ur'<r 
did not already contain L. □ 

Lemma 26. Given Ri'ftf~ [rcur,Scur] g J^huc-[r.uc,S.uc] g 

V 2 D- 1 -I) assume that the processes 

of Rcur created the (same) lock L when locking. If R(^,r ^^Ri^c , then the processes of Rsuc will choose 
a lock L' where L.v = L'.v (and hence decide the same as the processes of Rcur)- 
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Proof. From the definition of (Def. 19), it follows that no VSRC of Vd+i has a larger influence 
set on Rsuc than Rcur- By Lem. 19, this implies that no lock that was generated by some R^ in Yd+i 
can be known to more members of Rsuc than the lock L generated by Rcur- Since process pi puts 
only newly learned locks into hist^ (lines 15 and 20), by Lem. 25, this means that in round rsuc no 
“bad” lock Lb is present in more elements of S' = than L. We now show 

that L.Tcreate > Lfc-Tcreate for all Lb occuring in as many elements of S as L with Lb L. Obviously, 
the only locks Lb that could occur in as many elements of S as L are locks that have been in hist^ of 
some Pi G Rcur at the beginning of round rcur already. Since for any such Lb, L was created after Lb, 
by lines 30 and 32, we have that L.Tcreate > Lb.Tcrea.te, as claimed. Because in round rsuc + 211, at all 
processes Pi,pj of Rsuc, Lem. 23 implies that Ur's;r„„c = Ur'<r,„„when locking 

in round rsuc + 21? according to Lem. 20, every pi of Rsuc will find L as the unique most common lock 
in the elements of S with maximal Tcreate- This leads to the evaluation of the if-statement in line 28 to 
true and to the creation of a new lock L', where L'.v = L.v in line 30, as asserted. □ 

This finally completes the proof of Theorem 11. 

8 Conclusions 

We introduced a framework for modeling dynamic networks with directed communication links under 
generalized message adversaries that focus on vertex-stable root components. We presented related im¬ 
possibility results and lower bounds for consensus, as well as a message adversary that is much stronger 
than the ones known so far for solving consensus, along with a suitable algorithm and its correctness 
proof. Moreover, we made a significant step towards determining the solvability/impossibility border of 
general fc-set agreement in our model. We provided several impossibility results and lower bounds, which 
also led us to the, to the best of our knowledge, first gracefully degrading consensus//c-uniform fc-set 
agreement under fairly strong message adversaries proposed so far. 
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